CVE-2026-42612

getgrav · Grav

Grav contains a Cross-site Scripting (XSS) vulnerability allowing authenticated users with low privileges to inject malicious scripts, leading to potential unauthorized information disclosure.

Executive summary

A Cross-site Scripting vulnerability in Grav allows authenticated attackers to potentially compromise user sessions and sensitive information.

Vulnerability

This is a Stored Cross-site Scripting (CWE-79) vulnerability. It requires the attacker to have low-level authenticated access to the platform to inject malicious scripts into web pages.

Business impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of a victim's session, potentially leading to unauthorized access to sensitive data or session hijacking. Given the CVSS score of 8.5, this high-severity vulnerability poses a significant risk to the integrity and confidentiality of the platform's administrative and user interactions.

Remediation

Immediate Action: Update the Grav platform to version 2.0.0-beta.2 or later to apply the necessary security patches.

Proactive Monitoring: Review web server access logs for unusual patterns or payloads in request parameters that may indicate injection attempts.

Compensating Controls: Implement a strict Content Security Policy (CSP) to restrict the execution of unauthorized scripts and utilize a Web Application Firewall (WAF) to filter malicious input.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Administrators should prioritize updating to the patched version, 2.0.0-beta.2, to eliminate the risk of XSS-based attacks. Failure to patch may allow attackers to leverage authenticated access to manipulate platform data or compromise user accounts.