Sagar Banwa

**Name of the Vulnerable Software and Affected Versions** Grav CMS version 1.6.30 Admin Plugin version 1.9.18 **Description** A persistent cross-site scripting issue allows authenticated attackers to inject malicious scripts through the page title field. This occurs when an attacker creates a new page containing a malicious script in the title, which then executes when the page is viewed within the admin panel or on the site. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lepton-CMS version 4.7.0 **Description** The issue is related to cross-site scripting (XSS), where an attacker can inject an XSS payload in the URL field of the admin page. This XSS will be triggered each time an admin visits the Menu-Pages-Pages Overview section. **Recommendations** For Lepton-CMS version 4.7.0, as a temporary workaround, consider restricting access to the admin page and the Menu-Pages-Pages Overview section to minimize the risk of exploitation. Avoid using the URL field in the admin page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.