CVE-2026-42611

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description A low-privileged user with page creation permissions can perform stored Cross-Site Scripting (XSS) by injecting an svg element. This occurs because the XSS filter in the detectXss() function uses a regular expression for on events that fails to detect unquoted event handlers. The issue is located in the system/src/Grav/Common/Security.php file and affects the 'admin/pages/' endpoint.

This XSS can be escalated to exfiltrate sensitive system information from the '/admin/config/info' endpoint when visited by a Super Admin. An attacker can capture the admin nonce, which may be used to bypass CSRF protections and potentially lead to Remote Code Execution (RCE) and full server compromise.

Recommendations Update to version 2.0.0-beta.2 or later. As a temporary workaround, restrict the ability of low-privileged users to create or edit pages until the update is applied.