CVE-2025-46199 – A cross-site scripting (XSS) vulnerability in G... (How to Fix)

Q: What is the severity of CVE-2025-46199?

CVE-2025-46199 has a CVSS score of 9.8 (CRITICAL). A cross-site scripting (XSS) vulnerability in Grav CMS versions 1.7.48 and earlier allows attackers to inject malicious scripts into form fields. When exploited, this enables arbitrary JavaScript execution in victims' browsers. All Grav installations using vulnerable versions are affected.

📋 TL;DR

A cross-site scripting (XSS) vulnerability in Grav CMS versions 1.7.48 and earlier allows attackers to inject malicious scripts into form fields. When exploited, this enables arbitrary JavaScript execution in victims' browsers. All Grav installations using vulnerable versions are affected.

💻 Affected Systems

Products:

Grav CMS

Versions: 1.7.48 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Grav installations with form functionality are vulnerable. No special configuration required.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, take over admin accounts, upload webshells, and achieve full site compromise leading to data theft or defacement.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting malicious payloads to vulnerable form fields. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.49 or later

Vendor Advisory: https://getgrav.org/blog/grav-1-7-49-released

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update Grav via command line: bin/gpm selfupgrade. 3. Update plugins: bin/gpm update. 4. Clear cache: bin/grav clearcache.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize form submissions

Implement custom form validation in user/plugins/form/form.php

Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in user/config/system.yaml

🧯 If You Can't Patch

Disable or restrict form submissions on public-facing pages
Implement WAF rules to block XSS payload patterns in form data

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or run: php bin/grav version

Check Version:

php bin/grav version

Verify Fix Applied:

Confirm version is 1.7.49+ and test form submissions with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual form submissions with script tags
POST requests containing <script>, javascript:, or eval() patterns

Network Indicators:

HTTP requests with XSS payloads in form parameters
Unexpected JavaScript execution in browser responses

SIEM Query:

source="web_logs" AND (form_data CONTAINS "<script>" OR form_data CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-46199

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.17% exploit probability (38.7th percentile)

Published: July 25, 2025

Last Updated: August 15, 2025

🔗 References

https://rapid-echo-f9c.notion.site/Grav-XSS-25-04-21-1dcaf8998a078001a2eff3dc47974d6d?pvs=4 Exploit,Third Party Advisory
https://tyojong.tistory.com/2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46199, you might also want to check these: