Stored XSS Vulnerability in Grav by Getgrav
CVE-2026-55890
4.8MEDIUM
What is CVE-2026-55890?
Grav, a file-based Web platform, contains a vulnerability that allows stored cross-site scripting (XSS) due to an incomplete fix for a previously reported issue. Before version 2.0.0-rc.9, the unvalidated Markdown media attribute handling enables editors to insert unsafe style parameters. This leads to potential XSS attacks when these parameters are rendered as part of the img tag's style attribute, as they are not properly sanitized. Users are encouraged to update to the latest version to mitigate this vulnerability.
Affected Version(s)
grav < 2.0.0-rc.9
