CVE-2026-42611 Overview
CVE-2026-42611 is a stored Cross-Site Scripting (XSS) vulnerability in Grav, a file-based Web platform, affecting versions prior to 2.0.0-beta.2. A low-privileged user with page creation permissions can inject malicious <svg> elements into Grav content. When a Super Admin views the affected page, the injected script executes in the administrator's session context. Attackers can escalate the XSS to exfiltrate system information from /admin/config/info and chain the attack with the admin-nonce token to achieve Remote Code Execution (RCE) [CWE-79]. The vulnerability is tracked under GitHub Security Advisory GHSA-w8cg-7jcj-4vv2 and fixed in version 2.0.0-beta.2.
Critical Impact
A low-privileged author account can compromise the entire Grav server by chaining stored SVG-based XSS with admin-nonce abuse to reach Remote Code Execution.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Getgrav Grav 2.0.0-beta1
- Grav Admin Panel (/admin/config/info endpoint)
Discovery Timeline
- 2026-05-11 - CVE-2026-42611 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42611
Vulnerability Analysis
The vulnerability resides in Grav's content rendering pipeline, which fails to sanitize <svg> elements supplied by authenticated low-privileged users. SVG documents support inline <script> tags and event handlers such as onload, allowing JavaScript execution when the page is rendered in a browser. Because Grav's admin interface renders user-created pages without sufficient output encoding, the injected payload runs with the Super Admin's privileges when they visit the affected page.
The attack chain proceeds in three stages. First, the attacker creates a page containing a crafted SVG payload. Second, when a Super Admin views the page, the script executes and fetches /admin/config/info, leaking environment, PHP, and Grav configuration data. Third, the script reads the admin-nonce value from the DOM and submits authenticated administrative actions, including operations that result in arbitrary code execution on the server.
Root Cause
The root cause is improper neutralization of input during page rendering [CWE-79]. Grav permitted SVG element injection within page content and trusted the rendered output in the admin context. Related media handling routines also accepted attacker-controlled attribute names, which could carry inline event handlers onto image tags.
Attack Vector
Exploitation requires an authenticated user with page-creation rights and a Super Admin who subsequently views the malicious page. The attack is network-reachable, has low complexity, and requires user interaction from the privileged victim.
// Patch excerpt: system/src/Grav/Common/Media/Traits/MediaObjectTrait.php
// Restricts attribute names to safe HTML identifiers, rejecting event
// handlers (on*), inline style, xmlns, srcdoc, and form* attributes.
public function attribute($attribute = null, $value = '')
{
if (empty($attribute) || !is_string($attribute)) {
return $this;
}
if (!self::isSafeAttributeName($attribute)) {
return $this;
}
$this->attributes[$attribute] = $value;
return $this;
}
Source: Grav security commit 5a12f9be
Detection Methods for CVE-2026-42611
Indicators of Compromise
- Grav page content (Markdown or frontmatter) containing <svg> elements with inline <script>, onload, or other on* event handlers.
- Unexpected outbound or same-origin requests to /admin/config/info originating from a Super Admin browser session.
- Administrative actions submitted with valid admin-nonce values shortly after a Super Admin opened a page authored by a low-privileged user.
- New plugins, themes, or PHP files written under the Grav web root without a corresponding admin-initiated installation.
Detection Strategies
- Scan the user/pages/ directory for SVG markup, javascript: URIs, and on* event-handler attributes inside page Markdown and frontmatter.
- Monitor web server access logs for sequential requests to /admin/config/info followed by state-changing /admin/* POST requests within the same session.
- Review Grav admin audit logs for plugin or theme installation events that do not correlate with legitimate administrator activity.
Monitoring Recommendations
- Alert on creation or modification of pages by non-admin Grav accounts that contain <svg, <script, or on[a-z]+= patterns.
- Track Super Admin sessions for anomalous DOM-driven requests immediately after viewing user-authored content.
- Capture file integrity events under user/plugins/, user/themes/, and system/ directories of the Grav installation.
How to Mitigate CVE-2026-42611
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later on all instances exposing the admin panel.
- Audit existing pages authored by low-privileged users and remove any SVG, script, or event-handler content.
- Rotate Super Admin credentials and invalidate active admin sessions if exploitation is suspected.
- Review installed plugins and themes for unauthorized additions or modifications since the vulnerable version was deployed.
Patch Information
The fix is delivered in commit 5a12f9be8314682c8713e569e330f11805d0a663 and shipped in Grav 2.0.0-beta.2. The patch hardens archive extraction against Zip Slip, restricts attribute names accepted by MediaObjectTrait::attribute() to safe identifiers, and rejects event-handler and srcdoc-style names. Details are available in the Grav GitHub Security Advisory GHSA-w8cg-7jcj-4vv2.
Workarounds
- Restrict page creation and editing permissions to trusted administrators until the upgrade is applied.
- Place the Grav admin panel behind network controls such as IP allow-listing or VPN access to limit who can view authored pages.
- Apply a Content Security Policy that disallows inline scripts on admin routes to reduce the impact of injected SVG payloads.
# Verify and upgrade Grav using the bundled CLI
php bin/gpm version
php bin/gpm selfupgrade -f
php bin/gpm version # Confirm 2.0.0-beta.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
