Stored CSS Injection in Grav by GetGrav
CVE-2026-58657
4.8MEDIUM
What is CVE-2026-58657?
Grav, prior to version 2.0.0, is susceptible to a stored CSS injection vulnerability within the Markdown image resize() media action. This issue arises from the Excerpts::processMediaActions() function, which allows lower-privileged content editors to embed crafted image URLs containing semicolon-delimited CSS declarations. These declarations are subsequently rendered within the attribute when a page is reviewed or previewed by higher-privileged users, permitting potential UI redress attacks and content manipulation, without relying on JavaScript execution. The vulnerability is addressed in version 2.0.0.
Affected Version(s)
Grav 2.0.0-rc.9 < 2.0.0
Grav 2.0.0
