CVE-2026-42841

MEDIUM EPSS 31.6%
Published May 11, 20261mo ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Medium
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
31.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
getgravgrav* ≤1.8.0
getgravgrav2.0.0any

References 2

  • github.com https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
    Patch
  • github.com https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
    Patch
  • github.com https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr
    ExploitPatchVendor Advisory