Stored XSS Vulnerability in Grav by Getgrav
CVE-2026-55890

4.8MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55890?

Grav, a file-based Web platform, contains a vulnerability that allows stored cross-site scripting (XSS) due to an incomplete fix for a previously reported issue. Before version 2.0.0-rc.9, the unvalidated Markdown media attribute handling enables editors to insert unsafe style parameters. This leads to potential XSS attacks when these parameters are rendered as part of the img tag's style attribute, as they are not properly sanitized. Users are encouraged to update to the latest version to mitigate this vulnerability.

Affected Version(s)

grav < 2.0.0-rc.9

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.