Skip to main content

Grav CMS CVE-2026-58657

| EUVDEUVD-2026-42267 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 disclosure@vulncheck.com GHSA-4wj4-79rr-pvff
4.8
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

PR:L because content editor is a low-privilege role, not admin; UI:R and S:C because impact is realized in a different user's browser session.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 15:17 vuln.today
Patch available
Jul 08, 2026 - 15:01 EUVD

DescriptionCVE.org

Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.

AnalysisAI

Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Content editor authenticates to Grav admin panel
Delivery
Crafts Markdown image URL with CSS payload in resize() parameters
Exploit
Saves page, persisting injected CSS in flat-file content store
Install
Admin or reviewer opens page for review
C2
Grav renders img element with unsanitized style attribute
Execute
Injected CSS overlay displayed in privileged user's browser
Impact
UI redress or content-manipulation attack succeeds

Vulnerability AssessmentAI

Exploitation Two specific conditions must both be satisfied: (1) The attacker must hold an authenticated content editor account in the Grav CMS with write permission to edit Markdown pages - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 reflects the constrained conditions: the attacker must hold a content editor account (PR:H in the vendor-supplied vector, reflecting meaningful write access to the CMS) and a higher-privileged user must actively view the crafted page (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A lower-privileged content editor logs into the Grav admin panel and creates or edits a Markdown page, embedding an image reference with CSS declarations such as position:fixed;top:0;left:0;width:100vw;height:100vh;background:white injected as resize() parameters. When an administrator or reviewer opens the page for approval, the Grav rendering pipeline writes the injected CSS into the img element's style attribute, causing the admin's browser to display a full-viewport overlay that obscures the legitimate admin interface and can redirect clicks to attacker-controlled elements. …
Remediation Upgrade to Grav 2.0.0, which is confirmed by the vendor as the fixed release (GitHub Security Advisory GHSA-ffmg-hfvg-jhg9). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy