Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:L because content editor is a low-privilege role, not admin; UI:R and S:C because impact is realized in a different user's browser session.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.
AnalysisAI
Stored CSS injection in Grav CMS (all 2.0 branch releases through 2.0.0-rc.9) lets a lower-privileged content editor manipulate the visual interface seen by higher-privileged administrators and reviewers. The resize() Markdown media action in Excerpts::processMediaActions() writes caller-controlled values directly into rendered img style attributes without sanitization, despite prior hardening that blocked the ?style= and attribute() vectors. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two specific conditions must both be satisfied: (1) The attacker must hold an authenticated content editor account in the Grav CMS with write permission to edit Markdown pages - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 reflects the constrained conditions: the attacker must hold a content editor account (PR:H in the vendor-supplied vector, reflecting meaningful write access to the CMS) and a higher-privileged user must actively view the crafted page (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A lower-privileged content editor logs into the Grav admin panel and creates or edits a Markdown page, embedding an image reference with CSS declarations such as position:fixed;top:0;left:0;width:100vw;height:100vh;background:white injected as resize() parameters. When an administrator or reviewer opens the page for approval, the Grav rendering pipeline writes the injected CSS into the img element's style attribute, causing the admin's browser to display a full-viewport overlay that obscures the legitimate admin interface and can redirect clicks to attacker-controlled elements. … |
| Remediation | Upgrade to Grav 2.0.0, which is confirmed by the vendor as the fixed release (GitHub Security Advisory GHSA-ffmg-hfvg-jhg9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42267
GHSA-4wj4-79rr-pvff