CVE-2026-55890

Name of the Vulnerable Software and Affected Versions Grav versions 1.7.52 through 2.0

Description An incomplete fix for a stored Cross-Site Scripting (XSS) issue allows users with admin.pages permissions to inject unsanitized CSS into the style attribute of images via Markdown media actions. While the attribute() method was patched to deny dangerous attributes, the sibling style() function remains reachable through the same Markdown excerpt-action pipeline and writes editor-controlled strings directly into the rendered <img> tag without sanitization.

This allows an attacker to execute a stored-CSS payload that affects higher-privileged users, such as administrators or super-admins, when they view the affected page. Potential impacts include:

The issue occurs because the style() function does not validate input, and the Security::detectXssFromArray() method in AdminController::savePage() fails to detect the Markdown-based payload.

Recommendations For versions 1.7.52 through 2.0, apply a validation gate to the style() function using a denylist to reject dangerous CSS properties such as position:, @import, url(, expression(, -moz-binding, behavior:, z-index:, fixed, and absolute. As a temporary workaround, restrict the use of the ?style= parameter in Markdown image syntax to minimize the risk of exploitation.