Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42612

CVE-2026-42612: Getgrav Grav XSS Vulnerability

CVE-2026-42612 is a stored Cross-Site Scripting flaw in Getgrav Grav that allows publisher-level accounts to execute arbitrary JavaScript through unquoted HTML event attributes. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-42612 Overview

CVE-2026-42612 is a stored Cross-Site Scripting (XSS) vulnerability in Grav, a file-based PHP content management system maintained by getgrav. The flaw exists in the detectXss() function, which fails to identify unquoted HTML event attributes during its blacklist-based filtering. Publisher-level accounts can inject persistent JavaScript that executes in the browser of any user who views the affected content. The vulnerability is fixed in Grav 2.0.0-beta.2.

Critical Impact

Authenticated publishers can store arbitrary JavaScript in Grav content, leading to session theft, account takeover of higher-privileged users, and pivoting through the administrative interface.

Affected Products

  • Getgrav Grav versions prior to 2.0.0-beta.2
  • Getgrav Grav 2.0.0-beta1
  • Grav deployments exposing the admin/publishing interface to multiple user roles

Discovery Timeline

  • 2026-05-11 - CVE-2026-42612 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-42612

Vulnerability Analysis

The vulnerability is classified as Cross-Site Scripting [CWE-79]. Grav uses a function named detectXss() to inspect user-supplied HTML for dangerous constructs before storing or rendering it. The function operates as a denylist, matching known dangerous patterns such as quoted event handlers and javascript: URIs.

The denylist fails to normalize attribute syntax before matching. HTML parsers accept event handler attributes without surrounding quotes, for example <img src=x onerror=alert(1)>. The detection routine does not match this unquoted form, allowing the payload to pass validation. Once stored, the page renderer emits the attacker-controlled markup verbatim, and the browser executes the JavaScript in the context of the Grav origin.

Exploitation requires a publisher-level account, so the attack is authenticated. The payload persists in Grav content files and triggers for every viewer, including administrators with higher privileges.

Root Cause

The root cause is incomplete input validation in detectXss(). The function relies on a denylist that does not account for the full lexical flexibility of the HTML attribute grammar. Unquoted event attributes are functionally equivalent to quoted ones in browsers, but they are not equivalent to the regex patterns used for detection.

Attack Vector

An attacker with publisher privileges submits content containing an unquoted event handler through the Grav editor or content API. The detectXss() filter approves the input, and Grav writes it to disk. When any user requests the affected page, the malicious script executes under the Grav domain, enabling cookie theft, CSRF against admin endpoints, and privilege escalation.

php
// Security patch in system/src/Grav/Common/Media/Traits/MediaObjectTrait.php
// Restricts attribute names to safe identifiers and rejects event handlers,
// inline style, srcdoc, XML namespace, and form* attributes.
public function attribute($attribute = null, $value = '')
{
    if (empty($attribute) || !is_string($attribute)) {
        return $this;
    }
    if (!self::isSafeAttributeName($attribute)) {
        return $this;
    }
    $this->attributes[$attribute] = $value;
    return $this;
}

Source: Grav security commit 5a12f9b

Detection Methods for CVE-2026-42612

Indicators of Compromise

  • Grav content files (.md, .yaml, page data) containing unquoted HTML event handlers such as onerror=, onload=, or onmouseover= without surrounding quotes
  • Unexpected <script>, <svg>, or <img> elements introduced by non-administrator accounts
  • Outbound browser requests from administrator sessions to attacker-controlled domains shortly after viewing publisher-authored content

Detection Strategies

  • Audit page content authored by publisher-role accounts for HTML event attributes and inline JavaScript
  • Compare current page files against version control history to surface unauthorized markup insertions
  • Inspect web server access logs for admin sessions issuing unusual POST requests immediately after rendering publisher content

Monitoring Recommendations

  • Enable Content Security Policy (CSP) reporting to capture blocked inline-script execution attempts in Grav-rendered pages
  • Monitor authentication logs for new or escalated administrator sessions originating from browsers that loaded publisher-authored pages
  • Alert on file modifications to the user/pages/ directory performed by non-administrator accounts

How to Mitigate CVE-2026-42612

Immediate Actions Required

  • Upgrade Grav to version 2.0.0-beta.2 or later, which replaces the denylist logic and hardens attribute handling
  • Review and revoke unnecessary publisher-role accounts and rotate session tokens for all privileged users
  • Audit existing page content for malicious markup and remove or sanitize affected files before re-enabling the admin interface

Patch Information

The fix is delivered in commit 5a12f9be8314682c8713e569e330f11805d0a663 and tracked under GHSA-9695-8fr9-hw5q. The patch introduces an allowlist for attribute names through isSafeAttributeName(), rejecting on*, style, srcdoc, XML namespace, and form* attributes, and hardens archive extraction against Zip Slip.

Workarounds

  • Restrict the publisher role to trusted users only until the upgrade is applied
  • Deploy a strict Content Security Policy that disallows inline scripts and unsafe-eval to limit XSS impact
  • Place a web application firewall rule in front of Grav that blocks request bodies containing unquoted event handler attributes
bash
# Verify installed Grav version and upgrade via the CLI
bin/grav -v
bin/gpm selfupgrade
# Confirm post-upgrade version is 2.0.0-beta.2 or later
bin/grav -v

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.