CVE-2026-42841: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav grav
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.
AI Analysis
Technical Summary
Grav versions before 2.0.0-beta.2 contain a CWE-79 improper input neutralization vulnerability. Authenticated users with page editing permissions can exploit the Markdown media action syntax to inject JavaScript event-handler attributes into image HTML elements. This is due to the conversion of Markdown image query parameters into callable media actions, specifically through the public attribute() media method, which allows setting arbitrary HTML attribute names and values. The issue is resolved in version 2.0.0-beta.2.
Potential Impact
An authenticated user with page editing permissions can inject executable JavaScript into image elements, potentially leading to cross-site scripting attacks within the context of the Grav platform. This could allow execution of arbitrary scripts in the browser of users viewing the affected pages. The CVSS 4.0 score is 6.9 (medium severity), reflecting the need for authentication and user interaction but high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in Grav version 2.0.0-beta.2. Users should upgrade to version 2.0.0-beta.2 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Since this is not a cloud service, remediation depends on applying the fixed version. Patch status is not explicitly confirmed beyond the stated fix version; verify with the vendor advisory for the latest guidance.
CVE-2026-42841: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav grav
Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Grav versions before 2.0.0-beta.2 contain a CWE-79 improper input neutralization vulnerability. Authenticated users with page editing permissions can exploit the Markdown media action syntax to inject JavaScript event-handler attributes into image HTML elements. This is due to the conversion of Markdown image query parameters into callable media actions, specifically through the public attribute() media method, which allows setting arbitrary HTML attribute names and values. The issue is resolved in version 2.0.0-beta.2.
Potential Impact
An authenticated user with page editing permissions can inject executable JavaScript into image elements, potentially leading to cross-site scripting attacks within the context of the Grav platform. This could allow execution of arbitrary scripts in the browser of users viewing the affected pages. The CVSS 4.0 score is 6.9 (medium severity), reflecting the need for authentication and user interaction but high impact on confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in Grav version 2.0.0-beta.2. Users should upgrade to version 2.0.0-beta.2 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Since this is not a cloud service, remediation depends on applying the fixed version. Patch status is not explicitly confirmed beyond the stated fix version; verify with the vendor advisory for the latest guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.375Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a01f792cbff5d86102f20e8
Added to database: 5/11/2026, 3:36:50 PM
Last enriched: 5/11/2026, 3:53:44 PM
Last updated: 5/12/2026, 3:53:17 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.