CVE-2020-37256
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Grav before version 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.
Risk Assessment
The risk for the organization includes system takeover by an attacker with page editor privileges, potentially leading to data theft, malware installation, and further attack escalation.
Recommendation
It is recommended to immediately update Grav to version 1.6.30 or later and review user permissions for page editor access.
Original NVD description (English source)
Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious scripts to execute arbitrary code and install malicious plugins for system access.

