Compliance Impact

The vulnerability allows an editor-level user to inject arbitrary JavaScript that executes in administrator browsers, potentially enabling unauthorized actions by stealing admin nonces. This kind of Stored Cross-Site Scripting (XSS) can lead to unauthorized access or modification of sensitive data managed through the Grav CMS admin panel.

Such unauthorized access or data manipulation could impact compliance with standards and regulations like GDPR or HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity.

However, the vulnerability does not allow direct cookie theft due to HttpOnly session cookies, somewhat limiting the attack scope.

Overall, the presence of this XSS vulnerability increases the risk of non-compliance with data protection regulations by exposing administrative interfaces to script injection attacks that could compromise data security and privacy.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42842 is a Stored Cross-Site Scripting (XSS) vulnerability in the Grav CMS Form plugin prior to version 9.1.0. It occurs because the plugin's select field template uses the Twig |raw filter to render taxonomy tag and category values in the admin panel, bypassing the global autoescape protection.

This allows an editor-level user to inject arbitrary JavaScript code into taxonomy values, which then executes in any administrator's browser session when they view or edit any page in the admin panel.

The vulnerability arises because the malicious script can break out of the expected HTML context and evade built-in XSS detection, affecting all page editors due to shared taxonomy options.

The issue was fixed by removing the |raw filter and properly escaping all select field option texts in the plugin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a lower-privileged editor to inject malicious JavaScript that executes in the browsers of administrators when they access the admin panel.

Such script execution can lead to theft of admin nonces, enabling attackers to perform privileged actions within the CMS.

Although HttpOnly session cookies prevent direct cookie theft, the XSS can still compromise administrative control and potentially lead to unauthorized changes or data manipulation.

The vulnerability has a moderate severity score (CVSS 5.4) and requires network access, low attack complexity, and low privileges with user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Grav CMS Form plugin version is prior to 9.1.0 or 2.0.0-beta.2, as these versions contain the vulnerable |raw filter in the select field template.

To detect exploitation attempts, you can look for suspicious taxonomy tag or category values containing injected JavaScript payloads such as: </option></select><img src=x onerror=alert('XSS-via-editor')>.

Since the vulnerability involves stored XSS in the admin panel, monitoring HTTP requests or logs for unusual input in taxonomy fields or select options may help.

No specific detection commands are provided in the resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Grav CMS Form plugin to version 9.1.0 or later, or to Grav 2.0.0-beta.2 or later, where the vulnerability has been fixed by removing the |raw filter and improving XSS detection.

Until the upgrade can be applied, restrict editor-level user permissions to prevent injection of malicious taxonomy values.

Additionally, review and sanitize any existing taxonomy tags or category values that may contain malicious scripts.

Useful 0 Not Useful 0