Cross-site scripting in Grav CMS - CVE-2026-42842
Published: May 5, 2026
Vulnerability identifier: #VU130075
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-42842
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Grav CMS
Affected software:
Grav CMS
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser session.
The vulnerability exists due to cross-site scripting in the Form plugin select field template (user/plugins/form/templates/forms/fields/select/select.html.twig) when rendering taxonomy tag and category values in the admin panel. A remote user can inject a crafted taxonomy value to execute arbitrary JavaScript in an administrator's browser session.
User interaction is required when an administrator views or edits any page in the admin panel, and the issue is cross-page because taxonomy options are rendered from a shared global pool.
How to mitigate CVE-2026-42842
Install security update from vendor's website.