CVE-2026-42612

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description A stored Cross-Site Scripting (XSS) issue allows publisher-level accounts to execute arbitrary JavaScript. The problem is caused by a blacklist bypass in the detectXss() function, which fails to properly identify HTML event attributes (such as on* events) when they are constructed without quotation marks. This allows an attacker to bypass the filter and execute malicious scripts in the browser of any user, including administrators, who views the compromised content, potentially leading to session hijacking or unauthorized actions.

Recommendations Update to version 2.0.0-beta.2. As a temporary workaround, restrict the permissions of publisher-level accounts to minimize the risk of malicious content injection.