CVE-2026-42842

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 11, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

composer

Product

getgrav/grav

External References

https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
https://github.com/advisories/GHSA-c2q3-p4jr-c55f

CVE-2026-42842

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment