CVE-2026-42842

CVE-2026-42842 is a medium-severity cross-site scripting (XSS) vulnerability in getgrav/grav (composer), affecting versions < 2.0.0-beta.2. It is fixed in 2.0.0-beta.2.

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel.

Additionally, Grav's built-in XSS detection (Security::detectXss()) can be bypassed by using payloads that close the <option>/<select> context and use unquoted event handlers - the on_events regex fails to match event handlers without quotes or trailing spaces before >.

Important

  • The vulnerability is in the Form plugin (select.html.twig), which is installed by default with Grav
  • The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool
  • An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list
  • The HttpOnly flag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript

Permissions Needed

  • Editor: can create or edit pages and set taxonomy tag/category values

Details

The Form plugin's select field template renders option values using the |raw Twig filter, which outputs content without HTML escaping:

File: user/plugins/form/templates/forms/fields/select/select.html.twig

{# Line 55 #}
 avalue|raw 

{# Line 65 #}
 suboption|t|raw 

{# Line 72 #}
 item_value|t|raw 

The taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as <option> elements in the select dropdown. The value attribute is properly escaped by the browser's attribute encoding, but the display text between <option> tags is rendered raw:

<option value="&lt;script&gt;alert(1)&lt;/script&gt;"><script>alert(1)</script></option>

Since taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.

The server-side field restriction in the flex-objects plugin only blocks ['form', 'forms', 'process', 'twig'] for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.

XSS Detection Bypass

Grav's Security::detectXss() checks for dangerous_tags (e.g., <script>, <iframe>), on_events (event handlers), and invalid_protocols (e.g., javascript:). However, the on_events regex:

'on_events' => '#(<[^>]+[a-z\x00-\x20"\'\/)(?:on[a-z]+)\s*=[\s|\'"'].*[\s|\'"']>#iUu'

requires either quotes around the handler value or a trailing space before >. An unquoted handler like onerror=alert(1)> (no space before >) bypasses this check entirely.

Combined with </option></select> to break out of the select context (neither tag is in dangerous_tags), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.

PoC

Step 1: Login as Editor

Navigate to http://TARGET/admin/ and authenticate with editor credentials.

Step 2: Create a Page with Malicious Taxonomy

  • Go to Pages → Add → Add Page
  • Title: XSS via editor
  • Go to Options Tap
  • On Taxonomies, Add tag:
</option></select><img src=x onerror=alert('XSS-via-editor')>

This payload:

  • Closes </option></select> to break out of the select dropdown context
  • Injects an <img> tag with an unquoted onerror handler (bypasses on_events regex)
  • Is not in the dangerous_tags list (no <script>, <iframe>, etc.)
  • Triggers no XSS warning in the admin panel

Step 3: Trigger the XSS

When any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.

The XSS fires because taxonomy tag options are collected globally across all pages and rendered with |raw in the select dropdown template. The payload breaks out of the <option> context, and the browser renders the <img> tag as a regular DOM element.

Maintainer note, fix applied (2026-04-24)

Fixed across two repos:

  1. grav-plugin-form 9.0.1 (commit 6bffb4c), the primary fix. All four |raw filters in templates/forms/fields/select/select.html.twig (placeholder, avalue, suboption, item_value) have been removed. Option labels, including taxonomy values that propagate cross-page through the admin's shared selection pool, now go through Twig's default escaper, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor.

  2. Grav core on the 2.0 branch (commit 5a12f9be8, ships in 2.0.0-beta.2), closes the detection-bypass half of the report. The on_events regex in Security::detectXss() is tightened so unquoted handlers like onerror=alert(1)> are flagged (see separate GHSA-9695-8fr9-hw5q), and option/select have been added to default security.xss_dangerous_tags so </option></select>… tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).

Sites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.

Files:

Impact

  • Session hijacking: While HttpOnly prevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests
  • Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session
  • Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-42842 has a CVSS score of 5.4 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.0-beta.2); upgrading removes the vulnerable code path.

Affected versions

getgrav/grav (< 2.0.0-beta.2)

Security releases

getgrav/grav → 2.0.0-beta.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade getgrav/grav to 2.0.0-beta.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42842? CVE-2026-42842 is a medium-severity cross-site scripting (XSS) vulnerability in getgrav/grav (composer), affecting versions < 2.0.0-beta.2. It is fixed in 2.0.0-beta.2. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-42842? CVE-2026-42842 has a CVSS score of 5.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of getgrav/grav are affected by CVE-2026-42842? getgrav/grav (composer) versions < 2.0.0-beta.2 is affected.
  4. Is there a fix for CVE-2026-42842? Yes. CVE-2026-42842 is fixed in 2.0.0-beta.2. Upgrade to this version or later.
  5. Is CVE-2026-42842 exploitable, and should I be worried? Whether CVE-2026-42842 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42842 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42842? Upgrade getgrav/grav to 2.0.0-beta.2 or later.

Other vulnerabilities in getgrav/grav

CVE-2026-55890CVE-2026-55885CVE-2026-44738CVE-2026-44737CVE-2026-42844

Stop the waste.
Protect your environment with Kodem.