Stored Cross-Site Scripting Vulnerability in Grav CMS Form Plugin
CVE-2026-42842

5.4MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav; Grav-plugin-form
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42842?

The Grav CMS Form plugin has a vulnerability in its select field template that allows editor-level users to exploit a Stored Cross-Site Scripting flaw. By utilizing this vulnerability, an attacker can inject arbitrary JavaScript into the admin panel, which executes within the context of any administrator's browser session. This issue arises due to the improper use of the Twig |raw filter for rendering taxonomy tag and category values, thus bypassing global autoescape protections. This vulnerability has been addressed in version 9.1.0.

Affected Version(s)

grav < 2.0.0-beta.2

grav-plugin-form < 9.1.0

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-form/commit/6bffb4...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42842 Data

JSON

Getgrav

What is CVE-2026-42842?

Affected Version(s)

References

CVSS V3.1

Timeline