Cyabell

**Name of the Vulnerable Software and Affected Versions** Grav CMS Form plugin versions prior to 9.1.0 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the select field template of the Grav CMS Form plugin. Taxonomy tag and category values are rendered using the Twig `|raw` filter in the admin panel, which bypasses global autoescape protection. This allows a user with editor-level permissions to inject arbitrary JavaScript into taxonomy fields. Because taxonomy options are collected from a shared global pool, the injected script executes in any administrator's browser session whenever they view or edit any page in the admin panel. Technical details include a bypass of the `Security::detectXss()` function, where the `on events` regular expression fails to identify event handlers that lack quotes or trailing spaces before the closing bracket. Exploitation involves using payloads that close the `<option>` and `<select>` contexts to execute scripts, potentially allowing the theft of admin nonce tokens and the performance of privileged actions via AJAX requests. **Recommendations** Update the Form plugin to version 9.1.0 or later. As a temporary workaround, restrict editor-level users from modifying taxonomy tag and category values.