GHSA-C2Q3-P4JR-C55F

Vulnerability from github – Published: 2026-05-05 21:24 – Updated: 2026-05-05 21:24
VLAI?
Summary
Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel.

Additionally, Grav's built-in XSS detection (Security::detectXss()) can be bypassed by using payloads that close the <option>/<select> context and use unquoted event handlers - the on_events regex fails to match event handlers without quotes or trailing spaces before >.

Important

  • The vulnerability is in the Form plugin (select.html.twig), which is installed by default with Grav
  • The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool
  • An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list
  • The HttpOnly flag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript

Permissions Needed

  • Editor: can create or edit pages and set taxonomy tag/category values

Details

The Form plugin's select field template renders option values using the |raw Twig filter, which outputs content without HTML escaping:

File: user/plugins/form/templates/forms/fields/select/select.html.twig

{# Line 55 #}
 avalue|raw 

{# Line 65 #}
 suboption|t|raw 

{# Line 72 #}
 item_value|t|raw

The taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as <option> elements in the select dropdown. The value attribute is properly escaped by the browser's attribute encoding, but the display text between <option> tags is rendered raw:

<option value="&lt;script&gt;alert(1)&lt;/script&gt;"><script>alert(1)</script></option>

Since taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.

The server-side field restriction in the flex-objects plugin only blocks ['form', 'forms', 'process', 'twig'] for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.

XSS Detection Bypass

Grav's Security::detectXss() checks for dangerous_tags (e.g., <script>, <iframe>), on_events (event handlers), and invalid_protocols (e.g., javascript:). However, the on_events regex:

'on_events' => '#(<[^>]+[a-z\x00-\x20"\'\/)(?:on[a-z]+)\s*=[\s|\'"'].*[\s|\'"']>#iUu'

requires either quotes around the handler value or a trailing space before >. An unquoted handler like onerror=alert(1)> (no space before >) bypasses this check entirely.

Combined with </option></select> to break out of the select context (neither tag is in dangerous_tags), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.

PoC

Step 1: Login as Editor

Navigate to http://TARGET/admin/ and authenticate with editor credentials.

Step 2: Create a Page with Malicious Taxonomy

  • Go to Pages → Add → Add Page
  • Title: XSS via editor
  • Go to Options Tap
  • On Taxonomies, Add tag:
</option></select><img src=x onerror=alert('XSS-via-editor')>

This payload: - Closes </option></select> to break out of the select dropdown context - Injects an <img> tag with an unquoted onerror handler (bypasses on_events regex) - Is not in the dangerous_tags list (no <script>, <iframe>, etc.) - Triggers no XSS warning in the admin panel

image

Step 3: Trigger the XSS

When any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.

image

The XSS fires because taxonomy tag options are collected globally across all pages and rendered with |raw in the select dropdown template. The payload breaks out of the <option> context, and the browser renders the <img> tag as a regular DOM element.

Impact

  • Session hijacking: While HttpOnly prevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests
  • Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session
  • Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised

Maintainer note — fix applied (2026-04-24)

Fixed across two repos:

  1. grav-plugin-form 9.0.1 (commit 6bffb4c) — the primary fix. All four |raw filters in templates/forms/fields/select/select.html.twig (placeholder, avalue, suboption, item_value) have been removed. Option labels — including taxonomy values that propagate cross-page through the admin's shared selection pool — now go through Twig's default escaper, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor.

  2. Grav core on the 2.0 branch (commit 5a12f9be8, ships in 2.0.0-beta.2) — closes the detection-bypass half of the report. The on_events regex in Security::detectXss() is tightened so unquoted handlers like onerror=alert(1)> are flagged (see separate GHSA-9695-8fr9-hw5q), and option/select have been added to default security.xss_dangerous_tags so </option></select>… tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).

Sites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.

Files: - templates/forms/fields/select/select.html.twig — four |raw removed. - system/config/security.yaml — dangerous-tags list extended. - system/src/Grav/Common/Security.phpon_events regex tightened. - tests/unit/Grav/Common/Security/DetectXssTest.php — includes the GHSA-c2q3 PoC payload.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:24:45Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin\u0027s select field template. Taxonomy tag and category values are rendered with the Twig `|raw` filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator\u0027s browser session when they view or edit any page in the admin panel.\n\nAdditionally, Grav\u0027s built-in XSS detection (`Security::detectXss()`) can be bypassed by using payloads that close the `\u003coption\u003e/\u003cselect\u003e` context and use unquoted event handlers - the `on_events` regex fails to match event handlers without quotes or trailing spaces before `\u003e`.\n\n### Important\n\n- The vulnerability is in the Form plugin (`select.html.twig`), which is installed by default with Grav\n- The XSS is cross-page: a malicious taxonomy value on one page executes when an admin edits any page, because taxonomy options are rendered from a shared global pool\n- An editor can exploit this without any other vulnerability - taxonomy fields are not in the server-side restricted fields list\n- The `HttpOnly` flag on session cookies prevents direct session theft, but the XSS can steal the admin nonce and perform privileged actions via JavaScript\n\n### Permissions Needed\n\n- Editor: can create or edit pages and set taxonomy tag/category values\n\n### Details\n\nThe Form plugin\u0027s select field template renders option values using the `|raw` Twig filter, which outputs content without HTML escaping:\n\nFile: `user/plugins/form/templates/forms/fields/select/select.html.twig`\n\n```twig\n{# Line 55 #}\n avalue|raw \n\n{# Line 65 #}\n suboption|t|raw \n\n{# Line 72 #}\n item_value|t|raw \n```\n\nThe taxonomy field in the page editor uses this select template. When a page has taxonomy values (tags, categories), these values are populated as `\u003coption\u003e` elements in the select dropdown. The `value` attribute is properly escaped by the browser\u0027s attribute encoding, but the **display text** between `\u003coption\u003e` tags is rendered raw:\n\n```html\n\u003coption value=\"\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/option\u003e\n```\n\nSince taxonomy options are collected globally across all pages (to provide autocomplete/selection), a malicious taxonomy value on any page will appear in the taxonomy dropdown of every page editor - making this a cross-page stored XSS.\n\nThe server-side field restriction in the flex-objects plugin only blocks `[\u0027form\u0027, \u0027forms\u0027, \u0027process\u0027, \u0027twig\u0027]` for non-super users. Taxonomy fields are not restricted, so editors can freely set arbitrary taxonomy values.\n\n### XSS Detection Bypass\n\nGrav\u0027s `Security::detectXss()` checks for `dangerous_tags` (e.g., `\u003cscript\u003e`, `\u003ciframe\u003e`), `on_events` (event handlers), and `invalid_protocols` (e.g., `javascript:`). However, the `on_events` regex:\n\n```php\n\u0027on_events\u0027 =\u003e \u0027#(\u003c[^\u003e]+[a-z\\x00-\\x20\"\\\u0027\\/)(?:on[a-z]+)\\s*=[\\s|\\\u0027\"\u0027].*[\\s|\\\u0027\"\u0027]\u003e#iUu\u0027\n```\n\nrequires either quotes around the handler value or a trailing space before `\u003e`. An unquoted handler like `onerror=alert(1)\u003e` (no space before `\u003e`) bypasses this check entirely.\n\nCombined with `\u003c/option\u003e\u003c/select\u003e` to break out of the select context (neither tag is in `dangerous_tags`), the full payload evades all three detection layers and triggers no XSS warning in the admin panel.\n\n### PoC\n\n#### Step 1: Login as Editor\nNavigate to `http://TARGET/admin/` and authenticate with editor credentials.\n\n#### Step 2: Create a Page with Malicious Taxonomy\n- Go to Pages \u2192 Add \u2192 Add Page\n- Title: `XSS via editor`\n- Go to **Options** Tap\n- On Taxonomies, Add tag:\n```\n\u003c/option\u003e\u003c/select\u003e\u003cimg src=x onerror=alert(\u0027XSS-via-editor\u0027)\u003e\n```\n\nThis payload:\n- Closes `\u003c/option\u003e\u003c/select\u003e` to break out of the select dropdown context\n- Injects an `\u003cimg\u003e` tag with an unquoted `onerror` handler (bypasses `on_events` regex)\n- Is not in the `dangerous_tags` list (no `\u003cscript\u003e`, `\u003ciframe\u003e`, etc.)\n- Triggers no XSS warning in the admin panel\n\n\u003cimg width=\"1221\" height=\"857\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6223cbb2-f04b-46bd-89ce-828c89ad77ab\" /\u003e\n\n#### Step 3: Trigger the XSS\nWhen any administrator navigates to the page editor of any page (not just the malicious one), the JavaScript executes immediately.\n\n\u003cimg width=\"1224\" height=\"856\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f008b0f2-dedb-4b22-a74a-cdc0d7325cb4\" /\u003e\n\nThe XSS fires because taxonomy tag options are collected globally across all pages and rendered with `|raw` in the select dropdown template. The payload breaks out of the `\u003coption\u003e` context, and the browser renders the `\u003cimg\u003e` tag as a regular DOM element.\n\n### Impact\n\n- Session hijacking: While `HttpOnly` prevents direct cookie theft, the XSS can steal the admin nonce token and perform any admin action via AJAX requests\n- Privilege escalation: An editor can perform admin-only actions (create users, modify system configuration, install plugins) through the hijacked admin session\n- Cross-page impact: A single malicious taxonomy value affects the entire admin panel - every page editor view is compromised\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed across two repos:\n\n1. **grav-plugin-form 9.0.1** (commit [`6bffb4c`](https://github.com/getgrav/grav-plugin-form/commit/6bffb4c)) \u2014 the primary fix. All four `|raw` filters in [`templates/forms/fields/select/select.html.twig`](https://github.com/getgrav/grav-plugin-form/blob/develop/templates/forms/fields/select/select.html.twig) (placeholder, avalue, suboption, item_value) have been removed. Option labels \u2014 including taxonomy values that propagate cross-page through the admin\u0027s shared selection pool \u2014 now go through Twig\u0027s default escaper, so a lower-privileged editor can no longer inject script that runs in an admin\u0027s browser when they open any page editor.\n\n2. **Grav core on the `2.0` branch** (commit [`5a12f9be8`](https://github.com/getgrav/grav/commit/5a12f9be8), ships in **2.0.0-beta.2**) \u2014 closes the detection-bypass half of the report. The `on_events` regex in `Security::detectXss()` is tightened so unquoted handlers like `onerror=alert(1)\u003e` are flagged (see separate GHSA-9695-8fr9-hw5q), and `option`/`select` have been added to default `security.xss_dangerous_tags` so `\u003c/option\u003e\u003c/select\u003e\u2026` tripwires the detector (see separate GHSA-w8cg-7jcj-4vv2).\n\nSites running admin2 on Grav 2.0.0-beta.2 get the 9.0.1 form plugin automatically via its existing dependency graph.\n\n**Files:**\n- [`templates/forms/fields/select/select.html.twig`](https://github.com/getgrav/grav-plugin-form/blob/develop/templates/forms/fields/select/select.html.twig) \u2014 four `|raw` removed.\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) \u2014 dangerous-tags list extended.\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) \u2014 `on_events` regex tightened.\n- [`tests/unit/Grav/Common/Security/DetectXssTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/DetectXssTest.php) \u2014 includes the GHSA-c2q3 PoC payload.",
  "id": "GHSA-c2q3-p4jr-c55f",
  "modified": "2026-05-05T21:24:45Z",
  "published": "2026-05-05T21:24:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.