CVE-2026-55890
Deferred Deferred - Pending Action

Stored XSS in Grav CMS via Unsanitized Markdown Image Styles

Vulnerability report for CVE-2026-55890, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 2.0.0-rc.9, Grav's incomplete fix for stored XSS through the Markdown media attribute action (CVE-2026-42841) leaves the sibling MediaObjectTrait::style method reachable through the same Markdown excerpt-action pipeline, allowing an editor to save Markdown image style parameters that are written into the rendered img style attribute without sanitization. This issue is fixed in version 2.0.0-rc.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.0-rc.9 (inc)
getgrav grav to 2.0.0-rc.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55890 is a stored CSS injection vulnerability in the Grav CMS platform affecting versions 2.0.0-rc.8 and earlier. It arises from an incomplete fix for a previous vulnerability where the MediaObjectTrait::style() method allowed editors to inject unsanitized CSS styles into Markdown image syntax. This means an attacker with editor privileges can save malicious CSS in image style parameters that get rendered directly into the img style attribute without proper filtering.

The vulnerability allows injection of dangerous CSS properties such as positioning and stacking (e.g., position, z-index), function calls like url() or expression(), and other potentially harmful constructs. This can lead to attacks like phishing overlays, clickjacking, UI denial-of-service, or CSS-based data exfiltration.

Impact Analysis

If exploited, this vulnerability allows an attacker with editor-level permissions to inject malicious CSS into images displayed on the website. This CSS can be used to create phishing overlays, perform clickjacking attacks, cause user interface denial-of-service by disrupting page layout, or exfiltrate data through CSS-based techniques.

Because the injected styles affect all users viewing the page, including administrators, the impact extends beyond the attacker's own privileges, potentially compromising the security and integrity of the website and its users.

The vulnerability requires high privileges (editor role) and some user interaction (viewing the affected page), and has a moderate CVSS score of 4.8.

Detection Guidance

This vulnerability involves malicious CSS injected via the Markdown image style parameter (?style=) in Grav CMS, which is stored and rendered in the img style attribute without sanitization.

Detection involves identifying Markdown image syntax using the ?style= parameter that contains potentially dangerous CSS properties such as positioning (e.g., position:fixed), stacking (z-index), or function calls like url() or expression().

Since the vulnerability bypasses typical XSS detection, manual inspection or custom scripts to scan stored Markdown content or rendered HTML for suspicious inline styles is recommended.

  • Search your Grav content files for Markdown image links with the ?style= parameter, for example using grep:
  • grep -r '\!\[.*\](.*\?style=.*)' /path/to/grav/user/pages
  • Inspect rendered HTML pages for img tags with suspicious style attributes, for example using curl and grep:
  • curl -s http://yourgravsite | grep '<img ' | grep 'style='

These commands help identify potentially malicious inline styles injected via Markdown images that exploit this vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade Grav CMS to version 2.0.0-rc.9 or later, where the vulnerability is fixed by introducing strict validation of inline image styles.

If immediate upgrade is not possible, consider disabling or restricting editor permissions (admin.pages) to prevent untrusted users from injecting Markdown image styles.

Alternatively, remove or sanitize existing Markdown content that uses the ?style= parameter to prevent malicious CSS from being rendered.

The fix involves applying a denylist and validation function (`isSafeStyleValue()`) that blocks dangerous CSS properties (e.g., position, z-index), function calls (url(), expression()), at-rules, and markup characters.

Deprecating or disabling the Markdown ?style= feature entirely is also suggested to eliminate this attack vector.

Compliance Impact

The vulnerability allows an attacker with editor privileges to inject malicious CSS into rendered images, which can be used for phishing overlays, clickjacking, UI denial-of-service, or CSS-based data exfiltration.

Such attacks could potentially lead to unauthorized access or exposure of sensitive information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards or regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart