CVE-2026-42612 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: May 12, 2026
Grav - Stored XSS
Overview
Grav < 2.0.0-beta.2 contains a stored XSS caused by blacklist bypass in detectXss() function handling unquoted HTML event attributes, letting publisher-level attackers execute arbitrary JavaScript, exploit requires publisher-level access.
Severity & Score
Impact
Publisher-level attackers can execute arbitrary JavaScript, potentially leading to session hijacking or further attacks on users.
Mitigation
Update to version 2.0.0-beta.2 or later.
References
Social Media Activity(2 posts)
š CVE-2026-42612 - High (8.5) Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss(... š https://www.thehackerwire.com/vulnerability/CVE-2026-42612/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-42612 - High (8.5) Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss(... š https://www.thehackerwire.com/vulnerability/CVE-2026-42612/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-42612
- Severity
- High
- CVSS Score
- 8.5
- Type
- stored_xss
- Status
- confirmed
- EPSS
- 3.2%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N