Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58657

CVE-2026-58657: Grav CMS Stored XSS Vulnerability

CVE-2026-58657 is a stored XSS flaw in Grav CMS that allows content editors to inject malicious CSS through Markdown image resize parameters. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-58657 Overview

CVE-2026-58657 is a stored Cross-Site Scripting-class flaw ([CWE-79]) in the Grav flat-file content management system. Versions prior to 2.0.0, including 2.0.0-rc.9 and the 2.0 branch, contain a stored CSS injection in the Markdown image resize() media action. A lower-privileged content editor can embed semicolon-delimited CSS declarations in image resize parameters. Those values are written directly into the rendered <img style=...> attribute when a higher-privileged reviewer or administrator previews the page. Grav fixed the issue in release 2.0.0.

Critical Impact

Authenticated content editors can inject arbitrary CSS that renders in higher-privileged users' browsers, enabling UI redress, full-viewport overlays, and content-manipulation attacks without JavaScript execution.

Affected Products

  • Grav CMS versions prior to 2.0.0
  • Grav 2.0.0-rc.9 and earlier release candidates
  • The Grav 2.0 development branch prior to the fix

Discovery Timeline

  • 2026-07-08 - CVE-2026-58657 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-58657

Vulnerability Analysis

Grav supports Markdown image actions such as resize() that transform embedded images at render time. Earlier hardening in the media pipeline blocked direct ?style= payloads and unsafe attribute() fallbacks. However, the resize() action inside Excerpts::processMediaActions() did not validate its caller-controlled parameters. Those raw values flow into the image object's styleAttributes array and are serialized into the final HTML style attribute.

An attacker with page edit rights crafts a Markdown image URL whose resize parameters contain arbitrary CSS declarations separated by semicolons. When any user with higher privileges opens the page or its preview, the browser applies the injected CSS to the rendered <img> element. The attack does not require JavaScript execution, so Content Security Policy directives that only restrict script sources do not block it.

Root Cause

The root cause is missing output encoding and input validation on parameters passed to the image resize() media action. Grav trusts caller-provided values as safe CSS length units and concatenates them into inline style output. See the VulnCheck Security Advisory for a full walkthrough.

Attack Vector

Exploitation requires an authenticated editor account with permission to modify Markdown page content. The attacker embeds a poisoned image reference containing CSS payloads in the resize() parameters. When a reviewer or admin loads the page, the rendered inline style can apply attacker-controlled positioning, z-index, background, or pointer-events rules. This enables clickjacking-style UI redress, such as a fixed full-viewport overlay that intercepts privileged clicks or hides genuine interface elements. Refer to the GitHub Security Advisory GHSA-ffmg-hfvg-jhg9 for advisory details.

Detection Methods for CVE-2026-58657

Indicators of Compromise

  • Markdown source containing image references with resize() parameters that include semicolons, colons, or CSS keywords such as position, fixed, z-index, or url(.
  • Rendered pages where <img> elements carry unusually long or structurally complex style attributes with multiple declarations.
  • Audit log entries showing page edits by lower-privileged editor accounts immediately followed by admin previews.

Detection Strategies

  • Grep Grav user/pages/ Markdown files for image syntax containing resize( followed by non-numeric characters, semicolons, or CSS property names.
  • Add a server-side response filter or DOM scanner that flags <img> tags whose style attribute contains more than one declaration or uses position:fixed.
  • Review recent commits to the pages Git repository, if version-controlled, for image resize parameter tampering.

Monitoring Recommendations

  • Monitor Grav admin authentication and page-edit events for accounts with editor-tier roles that touch pages later viewed by administrators.
  • Alert on web server responses where inline style attributes on images exceed a conservative character threshold.
  • Correlate content edits with subsequent admin session activity to identify potential UI redress attempts.

How to Mitigate CVE-2026-58657

Immediate Actions Required

  • Upgrade Grav to version 2.0.0 or later, which contains the fix for Excerpts::processMediaActions() and the media hardening changes.
  • Audit existing Markdown content for image references whose resize() parameters contain characters other than digits and simple units.
  • Restrict the editor role membership to trusted users until upgrade and content review are complete.

Patch Information

The vendor released fixes in the upstream repository. Review the corrective changes in Grav commit 6582166 and Grav commit e03d29a. Both are shipped as part of the 2.0.0 release. No verified public exploit is currently indexed, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Workarounds

  • Remove or restrict the ability of untrusted roles to edit Markdown pages until the patched release is deployed.
  • Sanitize existing pages by stripping or validating resize() arguments to permit only numeric width and height values.
  • Deploy a reverse proxy rule that strips inline style attributes from image tags on rendered Grav pages.
bash
# Upgrade Grav via the built-in CLI to the fixed release
cd /var/www/grav
bin/gpm selfupgrade -f
bin/gpm version
# Verify the installed version is 2.0.0 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.