CVE-2026-42841
Stored XSS in Grav CMS via Markdown Image Attributes
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42841 is a stored cross-site scripting (XSS) vulnerability in Grav CMS versions prior to 2.0.0-beta.2.
An authenticated user with page editing permissions can inject a malicious JavaScript event-handler attribute into the rendered image HTML by exploiting Grav's Markdown media action syntax.
This happens because Markdown image query parameters are improperly converted into callable media actions, allowing the user to set arbitrary HTML attributes on image elements.
For example, an attacker can craft a Markdown image reference with a query parameter like `attribute=onload,alert(document.domain)`, which results in an executable onload handler in the rendered <img> tag.
This vulnerability is fixed in version 2.0.0-beta.2 by restricting attribute names to a safe allowlist and blocking script-context names such as event handlers.
How can this vulnerability impact me? :
This vulnerability allows an attacker with page editing permissions to inject executable JavaScript into pages viewed by other users.
When another user, such as an administrator or reviewer, views the affected page, the malicious script executes in their browser.
This can lead to unauthorized actions, session hijacking, or theft of sensitive information within the context of the affected website.
Since the vulnerability is a stored XSS, the malicious code persists on the site until fixed, potentially affecting multiple users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting rendered pages for malicious JavaScript event-handler attributes injected into image HTML elements via Grav's Markdown media action syntax.
Specifically, look for image tags containing suspicious attributes such as event handlers (e.g., onload, onclick) that are not normally present.
A practical approach is to search the Grav content files or database for Markdown image references containing query parameters like `attribute=onload,alert(document.domain)` or similar payloads.
Example commands to detect such payloads in Grav content files (assuming a Unix-like environment):
- grep -r 'attribute=onload' /path/to/grav/user/pages
- grep -r 'attribute=onclick' /path/to/grav/user/pages
- grep -r 'attribute=onerror' /path/to/grav/user/pages
Additionally, monitoring HTTP traffic for suspicious payloads in Markdown image query parameters or reviewing logs for unexpected script execution triggered by image elements can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, restrict page editing permissions to trusted users only, as the vulnerability requires authenticated users with page editing rights.
Review and sanitize existing content for injected malicious attributes in Markdown image syntax.
Implement monitoring to detect suspicious activity related to image rendering and script execution.