VYPR
High severity8.5GHSA Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-42612

CVE-2026-42612

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes. This vulnerability is fixed in 2.0.0-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getgrav/gravPackagist
< 2.0.0-beta.22.0.0-beta.2

Affected products

4
  • Getgrav/GravGHSA3 versions
    < 2.0.0-beta.2+ 2 more
    • (no CPE)range: < 2.0.0-beta.2
    • cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*range: <=1.8.0
    • cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*
  • ghsa-coords
    Range: < 2.0.0-beta.2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.