{"id":"CVE-2019-16126","details":"Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.","aliases":["GHSA-6268-v434-45m5"],"modified":"2026-04-10T04:15:51.455926Z","published":"2019-09-09T02:15:10.470Z","references":[{"type":"EVIDENCE","url":"https://github.com/getgrav/grav/issues/2657"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/getgrav/grav","events":[{"introduced":"0"},{"last_affected":"dab30673e04769bb8ce1e8f4f42ddcfe2d4a6c6f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.6.15"}]}}],"versions":["0.8.0","0.9.0","0.9.10","0.9.11","0.9.12","0.9.13","0.9.14","0.9.15","0.9.16","0.9.17","0.9.18","0.9.19","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","1.1.0-beta.1","1.1.0-beta.2","1.1.0-beta.3","1.1.0-beta.4","1.1.0-beta.5","1.1.0-rc.1","1.1.0-rc.2","1.1.0-rc.3","1.1.17","1.1.9-rc.1","1.1.9-rc.2","1.1.9-rc.3","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.3.0","1.3.1","1.3.10","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.5.0","1.5.1","1.5.10","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16126.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}