Medium severity5.4GHSA Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-42842
CVE-2026-42842
Description
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getgrav/gravPackagist | < 2.0.0-beta.2 | 2.0.0-beta.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-c2q3-p4jr-c55fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42842ghsaADVISORY
- github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957nvdWEB
- github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663ghsaWEB
- github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55fnvdWEB
News mentions
0No linked articles in our index yet.