Synced 18 Jun 2026 05:58 UTC Account
← All products

CVE-2026-42841

MEDIUM severity · CVSS 4.8 · Cross-site scripting (XSS)
4.8CVSS MEDIUM

Summary

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredHigh
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

Grav

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663 ↗

Additional information