CVE-2026-55890
published 2026-06-21CVE-2026-55890: A vulnerability classified as problematic has been found in getgrav grav. This vulnerability affects the function MediaObjectTrait::style of the component…
medium4.8
A vulnerability classified as problematic has been found in getgrav grav. This vulnerability affects the function MediaObjectTrait::style of the component Markdown Image Handler. This manipulation of the argument style causes cross site scripting.
This vulnerability is registered as CVE-2026-55890. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to upgrade the affected component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | >= 0 < 2.0.0-rc.9 | 2.0.0-rc.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getgrav Markdown Image MediaObjectTrait::style cross site scripting
vuldb·2026-06-21
CVE-2026-55890 [LOW] getgrav Markdown Image MediaObjectTrait::style cross site scripting
A vulnerability classified as problematic has been found in getgrav grav. This vulnerability affects the function MediaObjectTrait::style of the component Markdown Image Handler. This manipulation of the argument style causes cross site scripting.
This vulnerability is registered as CVE-2026-55890. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to upgrade the affected component.
GHSA
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
ghsa·2026-06-18·CVSS 4.8
CVE-2026-55890 [MEDIUM] CWE-79 Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style() — incomplete patch of GHSA-r7fx-8g49-7hhr
## Summary
The fix for **GHSA-r7fx-8g49-7hhr / CVE-2026-42841** (Stored XSS via Markdown media `attribute()` action) is incomplete. The maintainer patched `MediaObjectTrait::attribute()` to deny dangerous attribute names (event handlers, `style`, `xmlns`, `srcdoc`, `formaction`) but the sibling `MediaObjectTrait::style()` method is reachable through the **same Markdown excerpt-action pipeline** and writes editor-controlled strings straight into the rendered `` attribute with **no sanitization**.
Any user with `admin.pages` permission (e.g. an editor) can save Markdown like:
```markdown
```
which renders to a stored-CSS payload that any higher-privileged v
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published