CVE-2026-44737

Name of the Vulnerable Software and Affected Versions grav-plugin-admin versions prior to 1.10.49.5

Description The application fails to properly validate and sanitize user input in the data[header][title] parameter. This allows attackers to craft a malicious URL containing a Cross-Site Scripting (XSS) payload. When accessed, the injected script is reflected in the HTTP response and executed within the victim's browser session. This issue affects the '/admin/pages/[page]' endpoint.

Recommendations Update to version 1.10.49.5.