CVE-2026-42841

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description An authenticated user with page editing permissions can perform stored Cross-Site Scripting (XSS) by injecting an executable JavaScript event-handler attribute into rendered image HTML. This occurs because Markdown image query parameters are converted into callable media actions, allowing access to the public attribute() media method. An attacker can use this to set arbitrary HTML attribute names and values on generated image elements. For example, using a query parameter like attribute=onload,alert(document.domain) results in an <img> tag with an executable onload handler. In multi-user environments, a lower-privileged editor could target administrators or reviewers who view the affected content.

Recommendations Update Grav to version 2.0.0-beta.2 or later.