Executive Summary

CVE-2026-42841 is a stored cross-site scripting (XSS) vulnerability in Grav CMS versions prior to 2.0.0-beta.2.

An authenticated user with page editing permissions can inject a malicious JavaScript event-handler attribute into the rendered image HTML by exploiting Grav's Markdown media action syntax.

This happens because Markdown image query parameters are improperly converted into callable media actions, allowing the user to set arbitrary HTML attributes on image elements.

For example, an attacker can craft a Markdown image reference with a query parameter like `attribute=onload,alert(document.domain)`, which results in an executable onload handler in the rendered <img> tag.

This vulnerability is fixed in version 2.0.0-beta.2 by restricting attribute names to a safe allowlist and blocking script-context names such as event handlers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with page editing permissions to inject executable JavaScript into pages viewed by other users.

When another user, such as an administrator or reviewer, views the affected page, the malicious script executes in their browser.

This can lead to unauthorized actions, session hijacking, or theft of sensitive information within the context of the affected website.

Since the vulnerability is a stored XSS, the malicious code persists on the site until fixed, potentially affecting multiple users.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to inject executable JavaScript into rendered HTML, leading to stored cross-site scripting (XSS). This can result in unauthorized script execution when other users view affected pages, potentially exposing sensitive information or enabling further attacks.

Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it may lead to unauthorized access or disclosure of personal or protected health information through exploitation of the XSS flaw.

Organizations using affected versions of Grav CMS should consider this risk in their security posture and remediation plans to maintain compliance with data protection regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting rendered pages for malicious JavaScript event-handler attributes injected into image HTML elements via Grav's Markdown media action syntax.

Specifically, look for image tags containing suspicious attributes such as event handlers (e.g., onload, onclick) that are not normally present.

A practical approach is to search the Grav content files or database for Markdown image references containing query parameters like `attribute=onload,alert(document.domain)` or similar payloads.

Example commands to detect such payloads in Grav content files (assuming a Unix-like environment):

• grep -r 'attribute=onload' /path/to/grav/user/pages
• grep -r 'attribute=onclick' /path/to/grav/user/pages
• grep -r 'attribute=onerror' /path/to/grav/user/pages

Additionally, monitoring HTTP traffic for suspicious payloads in Markdown image query parameters or reviewing logs for unexpected script execution triggered by image elements can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict page editing permissions to trusted users only, as the vulnerability requires authenticated users with page editing rights.

Review and sanitize existing content for injected malicious attributes in Markdown image syntax.

Implement monitoring to detect suspicious activity related to image rendering and script execution.

Useful 0 Not Useful 0