JavaScript Injection Vulnerability in Grav Web Platform by GetGrav
CVE-2026-42841

6.9MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42841?

Grav, a popular file-based web platform, has a vulnerability that allows an authenticated user with page editing permissions to inject arbitrary JavaScript events into rendered images. This is achievable through Grav's Markdown media action syntax, which improperly handles image query parameters, permitting an editor to set any HTML attribute on the image element. This issue affects versions before 2.0.0-beta.2 and poses a significant risk by enabling potential cross-site scripting (XSS) attacks. The vulnerability was addressed in the release of version 2.0.0-beta.2.

Affected Version(s)

grav < 2.0.0-beta.2

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/5a12f9be8314682c87...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42841 Data

JSON

Getgrav

What is CVE-2026-42841?

Affected Version(s)

References

CVSS V4

Timeline