CVE-2026-42841 Overview
CVE-2026-42841 is a stored cross-site scripting (XSS) vulnerability in Grav, a file-based Web platform developed by Getgrav. The flaw affects all versions prior to 2.0.0-beta.2. An authenticated user with page editing permissions can inject executable JavaScript event-handler attributes into rendered image HTML through Grav's Markdown media action syntax. The root cause lies in Markdown image query parameters being converted into callable media actions, which expose the public attribute() media method. This method accepts an arbitrary HTML attribute name and value applied directly to the generated <img> element. The issue is tracked under CWE-79 and fixed in Grav 2.0.0-beta.2.
Critical Impact
An authenticated editor can inject arbitrary event handlers (e.g., onerror, onload) onto rendered images, leading to JavaScript execution in the context of any visitor or administrator viewing the affected page.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Getgrav Grav 2.0.0-beta1
- Fixed in Getgrav Grav 2.0.0-beta.2
Discovery Timeline
- 2026-05-11 - CVE-2026-42841 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42841
Vulnerability Analysis
Grav's Markdown processor translates query parameters appended to image references into method calls on the corresponding media object. When an editor writes Markdown such as , the parser invokes the attribute() method on the media object. This method is public and writes any supplied key/value pair directly into the HTML attribute set of the rendered image element. Because no allowlist or sanitization was applied to the attribute name, an editor could set names such as onerror, onload, or onclick along with arbitrary JavaScript payloads as the value. The script then executes whenever the page is rendered in a browser.
Root Cause
The attribute() method in system/src/Grav/Common/Media/Traits/MediaObjectTrait.php accepted any non-empty string as an attribute name without validating it against a safe character set or rejecting event-handler attributes. The Markdown media action dispatcher reached this method directly from editor-controlled input, exposing an XSS sink reachable through standard image syntax.
Attack Vector
Exploitation requires an authenticated account with page editing privileges and user interaction by a victim who views the rendered page. The attacker crafts a Markdown image whose query string sets a JavaScript event-handler attribute and value. When Grav renders the page, the resulting <img> element fires the handler in the victim's browser, executing script in the site's origin. This permits session theft, admin action forgery, and content tampering against any user who loads the page.
/**
* Add custom attribute to medium.
*
* Reachable from Markdown via `?attribute=name,value` on image excerpts, so
* the attribute NAME is editor-controlled. We restrict it to plain HTML
* attribute identifiers (alphanumerics + `-`/`:`/`_`) and reject any name
* that would inject script when rendered onto an `<img>` tag — event
* handlers (`on*`), inline style, the XML namespace, srcdoc, and the
* various `form*` attributes whose URL targets are themselves trusted as
* actions. GHSA-r7fx-8g49-7hhr.
*
* @param string $attribute
* @param string $value
* @return $this
*/
public function attribute($attribute = null, $value = '')
{
if (empty($attribute) || !is_string($attribute)) {
return $this;
}
if (!self::isSafeAttributeName($attribute)) {
return $this;
}
$this->attributes[$attribute] = $value;
return $this;
}
Source: Grav security patch commit 5a12f9b. The patch enforces an allowlist of safe attribute name characters and explicitly rejects event handlers, inline style, XML namespace declarations, srcdoc, and form* attributes.
Detection Methods for CVE-2026-42841
Indicators of Compromise
- Rendered HTML containing <img> tags with event-handler attributes such as onerror, onload, or onclick in pages stored under the Grav content directory.
- Markdown source files containing image syntax with ?attribute=on patterns or other suspicious query parameters targeting the attribute media action.
- Unexpected outbound requests from administrator browsers shortly after viewing user-authored pages.
Detection Strategies
- Scan the Grav user/pages directory for Markdown files containing image references with query strings that match attribute=on[a-z]+, or other event-handler patterns.
- Inspect rendered page output for <img> elements carrying event-handler attributes that did not originate from official themes or plugins.
- Review Grav admin audit logs for editor accounts that created or modified pages immediately before XSS indicators appeared.
Monitoring Recommendations
- Enable a strict Content Security Policy (CSP) that blocks inline event handlers and report violations to a monitoring endpoint.
- Forward web server access logs and Grav admin logs to a centralized log platform for correlation of editor activity with anomalous client-side behavior.
- Alert on creation of new editor-role accounts or privilege changes that grant page editing permissions.
How to Mitigate CVE-2026-42841
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later, which contains the fix in MediaObjectTrait::attribute().
- Audit all editor and administrator accounts and revoke page editing permissions for accounts that are not strictly required.
- Review existing pages for malicious Markdown image syntax and remove any unauthorized attribute injections.
Patch Information
The fix is delivered in Grav 2.0.0-beta.2. The patch in commit 5a12f9b introduces an isSafeAttributeName() validator that restricts attribute names to alphanumerics plus -, :, and _, and rejects event handlers, style, srcdoc, XML namespace attributes, and form* attributes. Refer to the GitHub Security Advisory GHSA-r7fx-8g49-7hhr and the upstream commit.
Workarounds
- Restrict the editor role to highly trusted users until the patched version is deployed, since exploitation requires page editing permissions.
- Deploy a Content Security Policy that disallows inline event handlers (script-src without unsafe-inline) to neutralize injected on* attributes.
- Use a web application firewall rule to block requests containing Markdown image references with attribute=on query parameters.
# Upgrade Grav using the bundled CLI updater
bin/gpm selfupgrade -f
# Verify installed version is 2.0.0-beta.2 or later
bin/grav --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
