CVE-2026-58657
Deferred Deferred - Pending Action

Stored CSS Injection in Grav CMS

Vulnerability report for CVE-2026-58657, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.0 (inc)
getgrav grav to 2.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58657 is a stored CSS injection vulnerability in Grav CMS versions before 2.0.0, including 2.0.0-rc.9 and the 2.0 branch. It occurs in the Markdown image resize() media action, where user-controlled values are written directly into the style attributes of images without proper sanitization.

A lower-privileged content editor can craft an image URL with semicolon-delimited CSS declarations in the resize parameters. When a higher-privileged user, such as an admin or reviewer, views the page or preview, the malicious CSS is rendered in the final <img style=...> attribute.

This vulnerability does not require JavaScript execution but can enable UI redressing, overlay, and content manipulation attacks, such as creating a full-viewport fixed overlay that can obscure or manipulate the user interface.

The root cause is the lack of input validation or sanitization in the resize() function within Excerpts::processMediaActions(), which allows caller-controlled CSS to be injected directly into style attributes.

Detection Guidance

This vulnerability can be detected by identifying instances where user-controlled CSS is injected into image style attributes via the Markdown image resize() media action. Specifically, look for image URLs containing semicolon-delimited CSS declarations in the resize parameters, such as URLs with patterns like '?resize=100;position:fixed;top:0;left:0;width:100vw;height:100vh;background:white;z-index:9999'.

To detect exploitation attempts or presence of this vulnerability on your system, you can search your Grav content files or database for image URLs containing suspicious resize parameters with CSS declarations.

  • Use grep or similar tools to scan Markdown content files for suspicious resize parameters, e.g.:
  • grep -rP '\?resize=[^\s]*;[^\s]*' /path/to/grav/content
  • Alternatively, search your database or content storage for image URLs containing semicolons in resize parameters.

Monitoring HTTP requests for image URLs with suspicious resize parameters can also help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Grav to version 2.0.0 or later, where this vulnerability has been fixed.

The fix involves proper validation and sanitization of values passed to the resize() function to prevent injection of malicious CSS into image style attributes.

Until you can upgrade, restrict lower-privileged users from editing Markdown content that includes image resize parameters, as they can exploit this vulnerability.

Additionally, review and sanitize any existing content that may contain malicious resize parameters to prevent UI redress or overlay attacks.

Compliance Impact

The vulnerability allows a lower-privileged user to inject malicious CSS into image style attributes, which can lead to UI redress, overlay, and content manipulation attacks when viewed by higher-privileged users.

Such attacks could potentially be used to manipulate or obscure content, possibly leading to unauthorized disclosure or alteration of information.

However, the provided information does not explicitly link this vulnerability to direct violations of compliance standards like GDPR or HIPAA.

The vulnerability's impact on confidentiality and integrity is rated as low to moderate (CVSS 4.8), and it does not involve JavaScript execution or direct data exfiltration.

Therefore, while the vulnerability could indirectly affect compliance by enabling UI manipulation that might mislead users or administrators, there is no direct stated effect on compliance with regulations such as GDPR or HIPAA in the provided resources.

Impact Analysis

This vulnerability can impact you by allowing a lower-privileged user to inject malicious CSS into images displayed to higher-privileged users, such as admins or reviewers.

The injected CSS can be used to perform UI redressing attacks, such as overlaying a full-viewport fixed element that can obscure the interface or manipulate content presentation.

Such attacks can lead to confusion, misrepresentation of content, or tricking users into performing unintended actions by hiding or altering UI elements.

Because the attack does not require JavaScript, traditional script-blocking defenses may not prevent it.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart