CVE-2026-42612
Stored XSS in Grav CMS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Grav CMS versions before 2.0.0-beta.2. It allows publisher-level accounts to execute arbitrary JavaScript code by exploiting a flaw in the detectXss() function. The problem arises because the function's blacklist filtering can be bypassed when handling unquoted HTML event attributes, such as onerror. Attackers can inject malicious scripts that run when other users view the compromised content.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers with publisher-level access to inject malicious JavaScript into content. When other users view this content, the malicious scripts can execute, potentially leading to session hijacking, unauthorized actions on behalf of the user, or theft of sensitive information such as cookies.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning Grav CMS instances for the presence of unquoted HTML event attributes in user-generated content, especially those starting with "on" such as "onerror". Look for payloads similar to <img src=x onerror=eval(atob(...))> which exploit the blacklist bypass in the detectXss() function.
You can use commands to search for suspicious patterns in Grav content files or database entries where publisher-level users can add content. For example, using grep on the Grav content directory to find unquoted event handlers:
- grep -r -E '<[^>]+on[a-zA-Z]+=([^"\'\s][^ >]*)' /path/to/grav/content
This command searches recursively for HTML tags with unquoted on* attributes which may indicate attempts to exploit the vulnerability.
Additionally, monitoring HTTP traffic for suspicious payloads containing base64-encoded JavaScript or unusual event handlers in user inputs or stored content may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where the vulnerability is fixed by improving the regex in the detectXss() function to properly detect unquoted on* event attributes.
Until the upgrade can be performed, restrict publisher-level account permissions to trusted users only, as these accounts can inject malicious JavaScript.
Additionally, review and sanitize any user-generated content to remove unquoted event handlers or suspicious scripts.
Implement Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of potential XSS attacks.