Grav CMS CVE-2026-42842
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel.
Additionally, Grav's built-in XSS detection (Security::detectXss()) can be bypassed by using payloads that close the <option>/<select> context and use unquoted event handlers - the on_events regex fails to match event handlers without quotes or trailing spaces before >.
Important
- The vulnerability is in the Form plugin (
select.html.twig), which is installed by default with Grav - The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool
- An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list
- The
HttpOnlyflag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript
Permissions Needed
- Editor: can create or edit pages and set taxonomy tag/category values
Details
The Form plugin's select field template renders option values using the |raw Twig filter, which outputs content without HTML escaping:
File: user/plugins/form/templates/forms/fields/select/select.html.twig
{
# Line 55 #}
avalue|raw
{
# Line 65 #}
suboption|t|raw
{
# Line 72 #}
item_value|t|rawThe taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as <option> elements in the select dropdown. The value attribute is properly escaped by the browser's attribute encoding, but the display text between <option> tags is rendered raw:
<option value="<script>alert(1)</script>"><script>alert(1)</script></option>Since taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.
The server-side field restriction in the flex-objects plugin only blocks ['form', 'forms', 'process', 'twig'] for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.
XSS Detection Bypass
Grav's Security::detectXss() checks for dangerous_tags (e.g., <script>, <iframe>), on_events (event handlers), and invalid_protocols (e.g., javascript:). However, the on_events regex:
'on_events' => '#(<[^>]+[a-z\x00-\x20"\'\/)(?:on[a-z]+)\s*=[\s|\'"'].*[\s|\'"']>#iUu'requires either quotes around the handler value or a trailing space before >. An unquoted handler like onerror=alert(1)> (no space before >) bypasses this check entirely.
Combined with </option></select> to break out of the select context (neither tag is in dangerous_tags), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.
PoC
Step 1: Login as Editor
Navigate to http://TARGET/admin/ and authenticate with editor credentials.
Step 2: Create a Page with Malicious Taxonomy
- Go to Pages → Add → Add Page
- Title:
XSS via editor - Go to Options Tap
- On Taxonomies, Add tag:
</option></select><img src=x onerror=alert('XSS-via-editor')>This payload:
- Closes
</option></select>to break out of the select dropdown context - Injects an
<img>tag with an unquotedonerrorhandler (bypasseson_eventsregex) - Is not in the
dangerous_tagslist (no<script>,<iframe>, etc.) - Triggers no XSS warning in the admin panel
<img width="1221" height="857" alt="image" src="https://github.com/user-attachments/assets/6223cbb2-f04b-46bd-89ce-828c89ad77ab" />
Step 3: Trigger the XSS
When any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.
<img width="1224" height="856" alt="image" src="https://github.com/user-attachments/assets/f008b0f2-dedb-4b22-a74a-cdc0d7325cb4" />
The XSS fires because taxonomy tag options are collected globally across all pages and rendered with |raw in the select dropdown template. The payload breaks out of the <option> context, and the browser renders the <img> tag as a regular DOM element.
Impact
- Session hijacking: While
HttpOnlyprevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests - Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session
- Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised
---
Maintainer note - fix applied (2026-04-24)
Fixed across two repos:
- grav-plugin-form 9.0.1 (commit
6bffb4c) - the primary fix. All four|rawfilters intemplates/forms/fields/select/select.html.twig(placeholder, avalue, suboption, item_value) have been removed. Option labels - including taxonomy values that propagate cross-page through the admin's shared selection pool - now go through Twig's default escaper, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor. - Grav core on the
2.0branch (commit5a12f9be8, ships in 2.0.0-beta.2) - closes the detection-bypass half of the report. Theon_eventsregex inSecurity::detectXss()is tightened so unquoted handlers likeonerror=alert(1)>are flagged (see separate GHSA-9695-8fr9-hw5q), andoption/selecthave been added to defaultsecurity.xss_dangerous_tagsso</option></select>…tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).
Sites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.
Files:
templates/forms/fields/select/select.html.twig- four|rawremoved.system/config/security.yaml- dangerous-tags list extended.system/src/Grav/Common/Security.php-on_eventsregex tightened.tests/unit/Grav/Common/Security/DetectXssTest.php- includes the GHSA-c2q3 PoC payload.
AnalysisAI
Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig |raw filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.
Technical ContextAI
The Form plugin's select field template (select.html.twig) renders option values using Twig's |raw filter, which bypasses HTML escaping. Taxonomy fields are implemented as select dropdowns where option display text is rendered unescaped, although attribute values are properly encoded by browser defaults. The vulnerability is amplified by Grav's global taxonomy pool: a malicious taxonomy value added to any page propagates to every page editor's taxonomy dropdown, making this cross-page stored XSS. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation). Additionally, Grav's built-in Security::detectXss() function contained a regex bypass in the on_events pattern that required quotes or whitespace around event handler attributes, allowing payloads like onerror=alert(1)> (without quotes or trailing space) to evade detection. The exploit also closes the <option>/<select> context using tags not flagged as dangerous, further bypassing the detection layer.
RemediationAI
Upgrade Grav CMS to version 2.0.0-beta.2 or later, which includes the patched grav-plugin-form 9.0.1 automatically via dependency resolution. The primary fix removes all |raw Twig filters from the select field template (select.html.twig), ensuring taxonomy values are escaped by default. For Grav 2.0 users, also verify that the patched form plugin version 9.0.1 is installed, as the select.html.twig file in that plugin contains the critical fix. Core fixes include tightening the on_events regex in Security::detectXss() to reject unquoted event handlers, and adding svg, math, option, and select to the default security.xss_dangerous_tags list to prevent context-breaking exploits. Sites unable to upgrade immediately should restrict editor-level taxonomy field permissions if possible, or apply output encoding at the application level by modifying select.html.twig locally to remove the |raw filters-however, this is not a supported configuration and may break during future updates.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c2q3-p4jr-c55f