Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.
Published: 2026-05-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated page editor can inject an executable JavaScript event-handler attribute into the rendered image HTML by using Grav’s Markdown media action syntax. The public attribute() media method accepts arbitrary attribute names and values, which allows a crafted image tag to supply a malicious attribute that the browser executes. This flaw enables a stored cross‑site scripting (CXX) attack as described by CWE‑79.

Affected Systems

The vulnerability affects the Grav CMS, specifically all releases prior to 2.0.0-beta.2. Users of getgrav:grav with page editing privileges are vulnerable if image tags use the attribute() style syntax.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate impact. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Because the attacker must be an authenticated user with editing rights, the attack requires legitimate credentials or compromised accounts. Once attacker injects a malicious image tag, the resulting stored XSS can run in the browser context of any visitor to the page and potentially exfiltrate credentials, session cookies, or perform other malicious actions.

Generated by OpenCVE AI on May 11, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grav CMS to version 2.0.0-beta.2 or later to apply the vendor‑supplied fix.
  • Limit page editing permissions to trusted users and enforce least privilege to reduce the chance of malicious content being added.
  • Audit existing content for image tags using the attribute() syntax and remove or sanitize them to eliminate any pre‑existing payloads.
  • Deploy a content security policy that disallows inline scripts and restricts script execution to trusted origins to provide an additional mitigation layer.

Generated by OpenCVE AI on May 11, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r7fx-8g49-7hhr Grav CMS vulnerable to stored XSS via Markdown media attribute() action
History

Wed, 13 May 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.
Title Grav: Stored XSS via Markdown media attribute() action in Grav CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T16:19:12.101Z

Reserved: 2026-04-30T16:44:48.375Z

Link: CVE-2026-42841

cve-icon Vulnrichment

Updated: 2026-05-11T16:18:48.307Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:34.653

Modified: 2026-05-12T16:16:34.537

Link: CVE-2026-42841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:00:15Z

Weaknesses