CVE-2026-42842: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav grav
A stored cross-site scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template prior to version 9. 1. 0. This occurs because taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when viewing or editing pages in the admin panel. The vulnerability is fixed in version 9. 1. 0. The CVSS score is 5. 4, indicating a medium severity risk.
AI Analysis
Technical Summary
The Grav CMS Form plugin before version 9.1.0 contains a stored XSS vulnerability (CWE-79) in its select field template. This vulnerability arises because taxonomy tag and category values are output using the Twig |raw filter in the admin panel, which disables automatic escaping of potentially malicious input. An attacker with editor-level privileges can inject JavaScript code that will execute in the browsers of administrators who view or edit any page in the admin interface. This vulnerability allows for cross-site scripting attacks that can compromise administrator sessions or perform unauthorized actions within the admin panel. The issue is resolved in Grav CMS Form plugin version 9.1.0.
Potential Impact
Successful exploitation allows an attacker with editor-level access to inject and store malicious JavaScript code that executes in the context of administrator users' browsers. This can lead to session hijacking, unauthorized actions, or other client-side attacks within the admin panel. The vulnerability does not affect availability and requires user interaction (administrator viewing or editing pages). The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at editor level, user interaction needed, and partial confidentiality and integrity impact.
Mitigation Recommendations
Upgrade the Grav CMS Form plugin to version 9.1.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix indicated other than upgrading. Until upgraded, restrict editor-level access to trusted users only and monitor for suspicious activity in the admin panel. Patch status is not explicitly stated beyond the fix in version 9.1.0, so verify with the vendor advisory for the latest remediation guidance.
CVE-2026-42842: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav grav
Description
A stored cross-site scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template prior to version 9. 1. 0. This occurs because taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when viewing or editing pages in the admin panel. The vulnerability is fixed in version 9. 1. 0. The CVSS score is 5. 4, indicating a medium severity risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Grav CMS Form plugin before version 9.1.0 contains a stored XSS vulnerability (CWE-79) in its select field template. This vulnerability arises because taxonomy tag and category values are output using the Twig |raw filter in the admin panel, which disables automatic escaping of potentially malicious input. An attacker with editor-level privileges can inject JavaScript code that will execute in the browsers of administrators who view or edit any page in the admin interface. This vulnerability allows for cross-site scripting attacks that can compromise administrator sessions or perform unauthorized actions within the admin panel. The issue is resolved in Grav CMS Form plugin version 9.1.0.
Potential Impact
Successful exploitation allows an attacker with editor-level access to inject and store malicious JavaScript code that executes in the context of administrator users' browsers. This can lead to session hijacking, unauthorized actions, or other client-side attacks within the admin panel. The vulnerability does not affect availability and requires user interaction (administrator viewing or editing pages). The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at editor level, user interaction needed, and partial confidentiality and integrity impact.
Mitigation Recommendations
Upgrade the Grav CMS Form plugin to version 9.1.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix indicated other than upgrading. Until upgraded, restrict editor-level access to trusted users only and monitor for suspicious activity in the admin panel. Patch status is not explicitly stated beyond the fix in version 9.1.0, so verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.376Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028781cbff5d86108b8f5c
Added to database: 5/12/2026, 1:50:57 AM
Last enriched: 5/12/2026, 2:10:47 AM
Last updated: 5/12/2026, 3:14:40 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.