CVE-2026-42842

Name of the Vulnerable Software and Affected Versions Grav CMS Form plugin versions prior to 9.1.0

Description A Stored Cross-Site Scripting (XSS) issue exists in the select field template of the Grav CMS Form plugin. Taxonomy tag and category values are rendered using the Twig |raw filter in the admin panel, which bypasses global autoescape protection. This allows a user with editor-level permissions to inject arbitrary JavaScript into taxonomy fields. Because taxonomy options are collected from a shared global pool, the injected script executes in any administrator's browser session whenever they view or edit any page in the admin panel.

Technical details include a bypass of the Security::detectXss() function, where the on events regular expression fails to identify event handlers that lack quotes or trailing spaces before the closing bracket. Exploitation involves using payloads that close the <option> and <select> contexts to execute scripts, potentially allowing the theft of admin nonce tokens and the performance of privileged actions via AJAX requests.

Recommendations Update the Form plugin to version 9.1.0 or later. As a temporary workaround, restrict editor-level users from modifying taxonomy tag and category values.