CVE-2026-42841
MEDIUMGrav: Stored XSS via Markdown media attribute() action in Grav CMS
Title source: cnaDescription
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr
X_Refsource_Misc x_refsource_misc
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
Scores
CVSS v3
4.8
EPSS
0.0018
EPSS Percentile
7.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (4)
getgrav/grav
2.0.0 beta1
getgrav/grav
< 1.8.0
getgrav/grav
0 - 2.0.0-beta.2Packagist
getgrav/grav
< 2.0.0-beta.2
Published
May 11, 2026
Tracked Since
May 11, 2026