Morzelowski

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** An authenticated user with page editing permissions can perform stored Cross-Site Scripting (XSS) by injecting an executable JavaScript event-handler attribute into rendered image HTML. This occurs because Markdown image query parameters are converted into callable media actions, allowing access to the public `attribute()` media method. An attacker can use this to set arbitrary HTML attribute names and values on generated image elements. For example, using a query parameter like `attribute=onload,alert(document.domain)` results in an `<img>` tag with an executable `onload` handler. In multi-user environments, a lower-privileged editor could target administrators or reviewers who view the affected content. **Recommendations** Update Grav to version 2.0.0-beta.2 or later.