CVE-2026-42842 - Vulnerability Details

- grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel

Description

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.

Published: 2026-05-11

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Grav form plugin renders taxonomy tag and category values in the admin panel using Twig’s |raw filter, bypassing autoescape protection. This flaw permits an editor‑level user to inject persistent JavaScript that runs whenever an administrator views or edits a page. The injected code is stored and can be reused across sessions, making the attack repeatable in the administrative context.

Affected Systems

Grav CMS and its Grav Form Plugin, distributed by getgrav. Versions of the form plugin prior to 9.1.0 are vulnerable. The issue is resolved in release 9.1.0, so any deployment using an earlier plugin version is impacted.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation. Exploitation requires an attacker to have editor privileges in order to add or modify taxonomy field values; the attack then triggers when an administrator opens the affected page for viewing or editing.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

getgrav

grav

affected

Version	Status	Constraints
`< 2.0.0-beta.2`	affected	—

getgrav

grav-plugin-form

affected

Version	Status	Constraints
`< 9.1.0`	affected	—

No data.

Vendor Product Confidence Versions

Getgrav

Grav

100%

Version	Status	Scheme	Platform
`[0,2.0.0-beta.2)`	affected	semver	—

Getgrav

Grav-plugin-form

100%

Version	Status	Scheme	Platform
`[0,9.1.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Grav form plugin to version 9.1.0 or later; this release removes the raw rendering of taxonomy field values.
If an immediate upgrade is not feasible, remove or sanitize any taxonomy field values that contain malicious content or disable the select field template that renders taxonomy tags.
Restrict editor‑level access to trusted personnel and monitor taxonomy input for unexpected characters.

Generated by OpenCVE AI on May 11, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c2q3-p4jr-c55f	Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957
https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f

History

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getgrav Getgrav grav Getgrav grav-plugin-form
Vendors & Products		Getgrav Getgrav grav Getgrav grav-plugin-form

Mon, 11 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig \|raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.
Title		grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel
Weaknesses		CWE-79
References		https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957 https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Getgrav Grav Grav-plugin-form

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T15:29:36.490Z

Updated: 2026-05-11T18:25:09.488Z

Reserved: 2026-04-30T16:44:48.376Z

Link: CVE-2026-42842

Vulnrichment

Updated: 2026-05-11T18:25:05.790Z

NVD

Status : Received

Published: 2026-05-11T17:16:33.873

Modified: 2026-05-11T19:16:24.190

Link: CVE-2026-42842

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:23:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object