Skip to main content

Grav CMS CVE-2026-42842

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-05 https://github.com/getgrav/grav GHSA-c2q3-p4jr-c55f
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:49 vuln.today
Analysis Generated
May 05, 2026 - 21:49 vuln.today

DescriptionGitHub Advisory

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel.

Additionally, Grav's built-in XSS detection (Security::detectXss()) can be bypassed by using payloads that close the <option>/<select> context and use unquoted event handlers - the on_events regex fails to match event handlers without quotes or trailing spaces before >.

Important

  • The vulnerability is in the Form plugin (select.html.twig), which is installed by default with Grav
  • The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool
  • An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list
  • The HttpOnly flag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript

Permissions Needed

  • Editor: can create or edit pages and set taxonomy tag/category values

Details

The Form plugin's select field template renders option values using the |raw Twig filter, which outputs content without HTML escaping:

File: user/plugins/form/templates/forms/fields/select/select.html.twig

twig
{
# Line 55 #}
 avalue|raw

{
# Line 65 #}
 suboption|t|raw

{
# Line 72 #}
 item_value|t|raw

The taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as <option> elements in the select dropdown. The value attribute is properly escaped by the browser's attribute encoding, but the display text between <option> tags is rendered raw:

html
<option value="&lt;script&gt;alert(1)&lt;/script&gt;"><script>alert(1)</script></option>

Since taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.

The server-side field restriction in the flex-objects plugin only blocks ['form', 'forms', 'process', 'twig'] for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.

XSS Detection Bypass

Grav's Security::detectXss() checks for dangerous_tags (e.g., <script>, <iframe>), on_events (event handlers), and invalid_protocols (e.g., javascript:). However, the on_events regex:

php
'on_events' => '#(<[^>]+[a-z\x00-\x20"\'\/)(?:on[a-z]+)\s*=[\s|\'"'].*[\s|\'"']>#iUu'

requires either quotes around the handler value or a trailing space before >. An unquoted handler like onerror=alert(1)> (no space before >) bypasses this check entirely.

Combined with </option></select> to break out of the select context (neither tag is in dangerous_tags), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.

PoC

Step 1: Login as Editor

Navigate to http://TARGET/admin/ and authenticate with editor credentials.

Step 2: Create a Page with Malicious Taxonomy
  • Go to Pages → Add → Add Page
  • Title: XSS via editor
  • Go to Options Tap
  • On Taxonomies, Add tag:
</option></select><img src=x onerror=alert('XSS-via-editor')>

This payload:

  • Closes </option></select> to break out of the select dropdown context
  • Injects an <img> tag with an unquoted onerror handler (bypasses on_events regex)
  • Is not in the dangerous_tags list (no <script>, <iframe>, etc.)
  • Triggers no XSS warning in the admin panel

<img width="1221" height="857" alt="image" src="https://github.com/user-attachments/assets/6223cbb2-f04b-46bd-89ce-828c89ad77ab" />

Step 3: Trigger the XSS

When any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.

<img width="1224" height="856" alt="image" src="https://github.com/user-attachments/assets/f008b0f2-dedb-4b22-a74a-cdc0d7325cb4" />

The XSS fires because taxonomy tag options are collected globally across all pages and rendered with |raw in the select dropdown template. The payload breaks out of the <option> context, and the browser renders the <img> tag as a regular DOM element.

Impact

  • Session hijacking: While HttpOnly prevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests
  • Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session
  • Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised

---

Maintainer note - fix applied (2026-04-24)

Fixed across two repos:

  1. grav-plugin-form 9.0.1 (commit 6bffb4c) - the primary fix. All four |raw filters in templates/forms/fields/select/select.html.twig (placeholder, avalue, suboption, item_value) have been removed. Option labels - including taxonomy values that propagate cross-page through the admin's shared selection pool - now go through Twig's default escaper, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor.
  2. Grav core on the 2.0 branch (commit 5a12f9be8, ships in 2.0.0-beta.2) - closes the detection-bypass half of the report. The on_events regex in Security::detectXss() is tightened so unquoted handlers like onerror=alert(1)> are flagged (see separate GHSA-9695-8fr9-hw5q), and option/select have been added to default security.xss_dangerous_tags so </option></select>… tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).

Sites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.

Files:

AnalysisAI

Stored cross-site scripting in Grav CMS Form plugin allows editor-level users to inject arbitrary JavaScript via taxonomy tag and category values that execute in administrator browsers when viewing any page in the admin panel. The vulnerability exploits unescaped Twig |raw filters in the select field template combined with a bypassable XSS detection regex, enabling privilege escalation through nonce theft and unauthorized admin actions. Vendor-released patch available in grav-plugin-form 9.0.1 and Grav core 2.0.0-beta.2.

Technical ContextAI

The Form plugin's select field template (select.html.twig) renders option values using Twig's |raw filter, which bypasses HTML escaping. Taxonomy fields are implemented as select dropdowns where option display text is rendered unescaped, although attribute values are properly encoded by browser defaults. The vulnerability is amplified by Grav's global taxonomy pool: a malicious taxonomy value added to any page propagates to every page editor's taxonomy dropdown, making this cross-page stored XSS. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation). Additionally, Grav's built-in Security::detectXss() function contained a regex bypass in the on_events pattern that required quotes or whitespace around event handler attributes, allowing payloads like onerror=alert(1)> (without quotes or trailing space) to evade detection. The exploit also closes the <option>/<select> context using tags not flagged as dangerous, further bypassing the detection layer.

RemediationAI

Upgrade Grav CMS to version 2.0.0-beta.2 or later, which includes the patched grav-plugin-form 9.0.1 automatically via dependency resolution. The primary fix removes all |raw Twig filters from the select field template (select.html.twig), ensuring taxonomy values are escaped by default. For Grav 2.0 users, also verify that the patched form plugin version 9.0.1 is installed, as the select.html.twig file in that plugin contains the critical fix. Core fixes include tightening the on_events regex in Security::detectXss() to reject unquoted event handlers, and adding svg, math, option, and select to the default security.xss_dangerous_tags list to prevent context-breaking exploits. Sites unable to upgrade immediately should restrict editor-level taxonomy field permissions if possible, or apply output encoding at the application level by modifying select.html.twig locally to remove the |raw filters-however, this is not a supported configuration and may break during future updates.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy