CVE-2026-42842 Overview
CVE-2026-42842 is a stored Cross-Site Scripting (XSS) vulnerability in the Grav CMS Form plugin affecting versions prior to 9.1.0. The flaw resides in the select field template, where taxonomy tag and category values render through the Twig |raw filter in the admin panel. This bypasses Grav's global autoescape protection. An authenticated editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when the administrator views or edits a page in the admin panel. The vulnerability is fixed in Grav Form plugin version 9.1.0 [CWE-79].
Critical Impact
A low-privileged editor account can escalate to administrator-level actions by executing JavaScript in an admin's authenticated browser session.
Affected Products
- Grav CMS Form plugin versions prior to 9.1.0
- Grav CMS installations with the Form plugin enabled and editor-level users
- Grav admin panel rendering taxonomy data via the affected select.html.twig template
Discovery Timeline
- 2026-05-11 - CVE-2026-42842 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42842
Vulnerability Analysis
The Grav CMS Form plugin renders form select fields using the Twig template located at templates/forms/fields/select/select.html.twig. The template applies the |raw filter to placeholder text and option values populated from taxonomy tags and categories. Twig's |raw filter explicitly disables output escaping, overriding Grav's global autoescape configuration that normally neutralizes HTML and JavaScript in rendered content.
An editor-level user with permission to manage taxonomy values can submit payloads containing <script> tags or HTML event handlers. When an administrator subsequently loads a page containing the affected select field in the admin panel, the malicious markup renders directly into the DOM. The script executes with the administrator's session cookies and privileges, enabling account takeover, configuration changes, or installation of malicious plugins.
Root Cause
The root cause is the unnecessary use of the Twig |raw filter on user-controllable text values. Taxonomy tag and category labels do not require HTML rendering, yet the template trusted these strings as safe markup. The fix removes the |raw filter so the global autoescape policy applies and special characters are HTML-encoded before being written to the response.
Attack Vector
Exploitation requires an authenticated editor-level account on the target Grav instance and a separate administrator user who later views or edits an affected page. The attack chain is: an editor injects a JavaScript payload into a taxonomy tag or category value, the payload is stored in Grav's content store, an administrator opens the admin panel page that renders the select field, and the script executes in the administrator's authenticated context.
// Patch diff for templates/forms/fields/select/select.html.twig
{% endfor %}
{% endif %}
>
- {% if field.placeholder %}<option value="" disabled selected>{{ field.placeholder|t|raw }}</option>{% endif %}
+ {% if field.placeholder %}<option value="" disabled selected>{{ field.placeholder|t }}</option>{% endif %}
{% set options = field.options %}
{% if field.selectize.create and value %}
Source: Grav Form Plugin Commit 6bffb4c — the patch removes the |raw filter so the placeholder text is escaped by Twig's autoescape.
Detection Methods for CVE-2026-42842
Indicators of Compromise
- Taxonomy tag or category values in Grav content files containing <script>, onerror=, onload=, or javascript: strings.
- Unexpected admin-panel HTTP requests originating from administrator sessions immediately after viewing pages with custom taxonomy data.
- New administrator accounts, plugin installations, or configuration changes performed shortly after an editor account modifies taxonomy values.
Detection Strategies
- Audit Grav content storage (user/pages/**/*.md and frontmatter taxonomy blocks) for HTML or JavaScript syntax inside taxonomy.tag and taxonomy.category fields.
- Review admin panel access logs for editor accounts modifying taxonomy values, then correlate with subsequent administrator sessions loading the same pages.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts in the admin panel.
Monitoring Recommendations
- Monitor write operations to Grav page frontmatter and flag changes that introduce HTML special characters in taxonomy fields.
- Alert on privilege changes, new admin user creation, and plugin installation events that follow editor-driven taxonomy edits.
- Track outbound requests from admin browser sessions to non-allowlisted domains, which may indicate exfiltration via injected script.
How to Mitigate CVE-2026-42842
Immediate Actions Required
- Upgrade the Grav Form plugin to version 9.1.0 or later on all Grav CMS instances.
- Audit all editor-level accounts and revoke access for users that do not require content authoring privileges.
- Inspect existing taxonomy tag and category values across all pages and remove any entries containing HTML or script syntax.
Patch Information
The vulnerability is fixed in Grav Form plugin version 9.1.0. The patch, tracked as GHSA-c2q3-p4jr-c55f, removes the |raw Twig filter from the select field template so the global autoescape policy properly encodes output. Apply the update through Grav's package manager or by replacing the plugin files with the released version.
Workarounds
- If immediate patching is not possible, manually edit templates/forms/fields/select/select.html.twig to remove the |raw filter from the placeholder rendering line.
- Restrict taxonomy editing permissions so only administrator-level users can modify tag and category values until the patch is applied.
- Enforce a strict Content Security Policy on the admin panel that disallows inline script execution.
# Update Grav Form plugin via the Grav package manager (GPM)
bin/gpm update form
# Verify the installed plugin version is 9.1.0 or later
bin/gpm info form | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
