PT-2026-37278 · Packagist · Getgrav/Grav
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-42612
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
Summary
A stored Cross-Site Scripting (XSS) vulnerability in
getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes.Details
The
detectXss() function relies on a blacklist pattern to filter malicious attributes. The specific regex pattern used to match on* events is flawed:'on events' => '#(<[^>]+[a-zx00-x20"'/])(on[a-z]+|xmlns)s*=[s|'"].*[s|'"]>#iUu'This pattern fails to properly identify
on* event handlers that are constructed without quotation marks. This allows an attacker to completely bypass the filter. Note: It is highly recommended to replace this blacklist approach with a robust, established HTML sanitization library.PoC
An attacker with publisher-level access can reproduce this by injecting the following payload into any vulnerable content field:
<img src=x onerror=eval(atob(/YWxlcnQoZG9jdW1lbnQuY29va2llKQ/.source))>Execution Details:
The
onerror event is written without quotes to bypass the regex. Because unquoted attributes are restricted in their character usage (e.g., the = symbol cannot be used easily), the payload leverages atob() and regex .source to decode the base64 string YWxlcnQoZG9jdW1lbnQuY29va2llKQ (which translates to alert(document.cookie)). The atob() function conveniently auto-completes the necessary = padding for the base64 string.Impact
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Impacted Parties: Any user (including administrators) who views the compromised content published by the attacker.
- Consequences: Attackers can execute malicious scripts in a victim's browser, leading to session hijacking (cookie theft), unauthorized actions.
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the
2.0 branch: commit 5a12f9be8 — will ship in 2.0.0-beta.2.What changed: the
on events regex in Security::detectXss() no longer requires quotes or whitespace around =. The previous form:'on events' => '#(<[^>]+[sx00-x20"'/])(ons*[a-z]+|xmlns)s*=[s|'"].*[s|'"]>#iUu'required
[s|'"] immediately after the =, so <img src=x onerror=alert(1)> slid past. The new regex drops the value-matching tail entirely and just flags the presence of an on*= attribute anywhere inside a tag:'on events' => '#<[^>]*?[sx00-x20"'/](ons*[a-z]+|xmlns)s*=#iu'Detecting the attribute name +
= is enough for a tripwire — the trade-off is occasional false positives on legitimate attribute values containing on*= substrings, which the maintainer can hand-approve.This same regex bypass was the detection-layer half of GHSA-c2q3-p4jr-c55f and GHSA-w8cg-7jcj-4vv2; the fix here knocks both down.
Files:
system/src/Grav/Common/Security.php.tests/unit/Grav/Common/Security/DetectXssTest.php— 18 cases: unquoted PoCs, quoted-form regression, safe-content negatives.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Getgrav/Grav