Stored CSS Injection in Grav by GetGrav
CVE-2026-58657

4.8MEDIUM

Key Information:

Vendor

Grav

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-58657?

Grav, prior to version 2.0.0, is susceptible to a stored CSS injection vulnerability within the Markdown image resize() media action. This issue arises from the Excerpts::processMediaActions() function, which allows lower-privileged content editors to embed crafted image URLs containing semicolon-delimited CSS declarations. These declarations are subsequently rendered within the attribute when a page is reviewed or previewed by higher-privileged users, permitting potential UI redress attacks and content manipulation, without relying on JavaScript execution. The vulnerability is addressed in version 2.0.0.

Affected Version(s)

Grav 2.0.0-rc.9 < 2.0.0

Grav 2.0.0

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

DavidCarliez
.