5 matches found
CVE-2026-42612
Grav: Publisher-level stored XSS in getgrav/grav due to a flawed blacklist in detectXss() that mishandles unquoted HTML event attributes. This allows arbitrary JavaScript execution via crafted content prior to 2.0.0-beta.2. The issue is fixed in Grav core on the 2.0 branch; upgrade to 2.0.0-beta....
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attribute...
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attribute...
GHSA-9695-8FR9-HW5Q Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...