CVE-2026-42611 - Vulnerability Details

- Grav: Stored XSS via Tag Injection

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.

Published: 2026-05-11

Score: 8.9 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows a low‑privileged user to inject an SVG element containing malicious script into a page. When a high‑privileged Super Admin later views that page, the script can access system configuration data located at /admin/config/info. Because the information can be used together with the admin‑nonce mechanism, an attacker may ultimately achieve remote code execution. This flaw is mapped to CWE‑79.

Affected Systems

Grav, the open‑source file‑based web content management system released by getgrav:grav, is affected in all releases older than 2.0.0‑beta.2. Users running those versions should audit their installation for untrusted page‑creation privileges.

Risk and Exploitability

The flaw carries a CVSS score of 8.9, indicating high severity. No EPSS data is available, but the absence of a KEV listing does not diminish the risk for active installations. Attackers can exploit the flaw simply by creating a new page with the injected SVG; the danger escalates only when a Super Admin subsequently visits the page. If an admin nonce can be co‑opted, the vulnerability provides a clear path to remote code execution. Given the high local impact and the availability of a fixed release, timely remediation is critical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

getgrav

grav

affected

Version	Status	Constraints
`< 2.0.0-beta.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:getgrav:grav::::::::
	cpe:2.3:a:getgrav:grav:2.0.0:beta1::::::

No data.

Vendor Product Confidence Versions

Getgrav

Grav

100%

Version	Status	Scheme	Platform
`[0,2.0.0-beta.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Grav to version 2.0.0‑beta.2 or later, which contains the fix for the tag injection flaw.
Restrict page creation rights to trusted users or temporarily disable page creation for low‑privileged accounts until the upgrade is complete.
If an upgrade is not immediately possible, remove or sanitize SVG tags from page content and enforce input validation on all user‑generated HTML before storage.

Generated by OpenCVE AI on May 11, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w8cg-7jcj-4vv2	Grav is Vulnerable to Stored XSS via Tag Injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2

History

Tue, 12 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:getgrav:grav:::::::: cpe:2.3:a:getgrav:grav:2.0.0:beta1::::::

Mon, 11 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getgrav Getgrav grav
Vendors & Products		Getgrav Getgrav grav

Mon, 11 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.
Title		Grav: Stored XSS via Tag Injection
Weaknesses		CWE-79
References		https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663 https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2
Metrics		cvssV3_1 `{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H'}`

Subscriptions

Getgrav Grav

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T15:20:47.890Z

Updated: 2026-05-11T18:23:59.282Z

Reserved: 2026-04-29T00:31:15.726Z

Link: CVE-2026-42611

Vulnrichment

Updated: 2026-05-11T18:23:55.414Z

NVD

Status : Analyzed

Published: 2026-05-11T16:17:34.173

Modified: 2026-05-12T16:16:44.470

Link: CVE-2026-42611

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T17:15:39Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object