SB2026050591 - Multiple vulnerabilities in Grav CMS

Description

This security bulletin contains information about 16 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2026-42607)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the directInstall task in the Admin plugin and Grav Package Manager when processing uploaded ZIP archives. A remote privileged user can upload a specially crafted ZIP file to execute arbitrary code.

The issue affects the /admin/tools/direct-install endpoint and requires the Admin plugin to be enabled.

2) Cross-site scripting (CVE-ID: CVE-2026-42841)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to cross-site scripting in the Markdown media action handling for rendered image HTML when processing crafted Markdown image references with media action query parameters. A remote privileged user can store a crafted Markdown image reference that injects an executable event-handler attribute to execute arbitrary JavaScript in a victim's browser.

User interaction is required when another user views the affected page.

3) Cross-site scripting (CVE-ID: CVE-2026-42842)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser session.

The vulnerability exists due to cross-site scripting in the Form plugin select field template (user/plugins/form/templates/forms/fields/select/select.html.twig) when rendering taxonomy tag and category values in the admin panel. A remote user can inject a crafted taxonomy value to execute arbitrary JavaScript in an administrator's browser session.

User interaction is required when an administrator views or edits any page in the admin panel, and the issue is cross-page because taxonomy options are rendered from a shared global pool.

4) Input validation error (CVE-ID: CVE-2026-42613)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper input validation in the Login::register() method in the Login plugin when handling registration POST data. A remote attacker can submit crafted groups or access fields in a registration request to escalate privileges.

Exploitation requires registration to be enabled and the groups or access fields to be included in the configured allowed fields list.

5) Improper access control (CVE-ID: CVE-2026-42610)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Twig environment accounts service when rendering user-supplied Twig content. A remote user can inject Twig expressions that access administrative user objects and configuration values to disclose sensitive information.

Exploitation requires the ability to edit page content with Twig processing enabled.

6) Cross-site scripting (CVE-ID: CVE-2026-42612)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the detectXss() function when handling unquoted HTML event attributes in content fields. A remote user can inject crafted HTML with unquoted event handler attributes to execute arbitrary JavaScript in a victim's browser.

Any user, including administrators, who views the compromised published content can be affected.

7) Deserialization of Untrusted Data (CVE-ID: N/A)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in JobQueue reconstruction logic when processing a tampered serialized job payload. A remote attacker can supply a crafted serialized Job object to execute arbitrary code.

Exploitation does not require admin access if any file write primitive is available.

8) Deserialization of Untrusted Data (CVE-ID: N/A)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in FileCache when processing cache data from a writable cache directory. A remote attacker can place a crafted serialized object in the cache to execute arbitrary code.

Exploitation requires a file write primitive to the cache directory.

9) Deserialization of Untrusted Data (CVE-ID: N/A)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in Session flash object handling when processing session data. A remote attacker can provide crafted serialized session content to execute arbitrary code.

Session storage is typically more restricted than the other deserialization vectors.

10) OS Command Injection (CVE-ID: N/A)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in InstallCommand git clone handling when constructing a git clone command from branch, url, and path values. A remote user can supply specially crafted dependency values to execute arbitrary commands.

The vulnerable functionality is reachable through plugin or theme installation.

11) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: N/A)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in cleanDangerousTwig() when filtering attacker-controlled Twig templates. A remote user can inject a crafted Twig template that bypasses the blocklist to execute arbitrary code.

The blocklist omits twig_array_reduce and dangerous file functions such as file_get_contents and fwrite.

12) Deserialization of Untrusted Data (CVE-ID: CVE-2026-7317)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in FileCache::doGet() in system/src/Grav/Framework/Cache/Adapter/FileCache.php when processing tampered cache files. A local user can poison or modify a cache file with crafted serialized data to execute arbitrary code.

The vulnerable class is reachable by plugin and downstream consumers rather than Grav's main cache path.

13) Improper privilege management (CVE-ID: CVE-2026-42609)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to cause a denial of service on administrative functions and de-escalate privileges of an administrative account.

The vulnerability exists due to improper privilege management in the Grav Admin Panel user management module when handling user creation requests with an existing username. A remote user can submit a new user record using the username of an existing administrative account to cause a denial of service on administrative functions and de-escalate privileges of an administrative account.

Exploitation requires an account with permission to create other users.

14) Path traversal (CVE-ID: CVE-2026-42608)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to write arbitrary files.

The vulnerability exists due to path traversal in FormFlash::__construct() / getTmpDir() when processing the __form-flash-id POST parameter. A remote attacker can send a specially crafted POST request with traversal sequences to write arbitrary files.

A vulnerable instance must expose at least one form-enabled page.

15) XML External Entity injection (CVE-ID: N/A)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of xml external entity reference in SVG file upload and processing when parsing uploaded SVG files. A remote user can upload a specially crafted SVG file to disclose sensitive information.

The issue can be reached through the admin panel, including the Pages media workflow or the File Manager plugin.

16) Cross-site scripting (CVE-ID: CVE-2026-42611)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the admin/pages/ endpoint when processing page content containing injected svg elements. A remote user can create a crafted page to execute arbitrary script in an administrator's browser and disclose sensitive information.

User interaction is required when an administrator visits the attacker-controlled page.

Remediation

Install update from vendor's website.

References

• https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw
• https://github.com/getgrav/grav/commit/5a12f9be8
• https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr
• https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f
• https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj
• https://github.com/getgrav/grav-plugin-login/commit/3d419a0
• https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4
• https://github.com/getgrav/grav/commit/d904efc33
• https://github.com/getgrav/grav/security/advisories/GHSA-9695-8fr9-hw5q
• https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p
• https://github.com/getgrav/grav/commit/c66dfeb5f
• https://github.com/getgrav/grav/commit/38685ac25
• https://github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv
• https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8
• https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2
• https://github.com/getgrav/grav/security/advisories/GHSA-3446-6mgw-f79p
• https://github.com/getgrav/grav/security/advisories/GHSA-w8cg-7jcj-4vv2