Grav CMS Stored XSS Vulnerability CVE-2026-42612: Blacklist Bypass Enables Arbitrary JavaScript Execution for Publisher Accounts

A high-severity stored Cross-Site Scripting vulnerability has been identified in Grav, a file-based web platform, affecting all versions prior to 2.0.0-beta.2. Tracked as CVE-2026-42612 with a CVSS score of 8.5, the flaw enables publisher-level accounts to execute arbitrary JavaScript through a blacklist bypass in the platform's detectXss() function.

The vulnerability allows authenticated users with publisher privileges to inject malicious scripts that persist within the system. When other users view affected content, the injected JavaScript executes within their browser context, potentially compromising session cookies, redirecting users to malicious domains, or exfiltrating sensitive data. The root cause lies in inadequate sanitization logic within detectXss(), which can be circumvented through carefully crafted input that evades the existing blacklist filters.

Grav installations running versions below 2.0.0-beta.2 face immediate risk, particularly in multi-user environments where publisher accounts may be provisioned for external contributors or less-trusted personnel. Organizations running affected instances should prioritize upgrading to the patched version. Where immediate patching is not feasible, limiting publisher-level access to fully trusted accounts and monitoring for suspicious administrative activity can reduce exposure. The vulnerability underscores how security controls designed to prevent XSS attacks can themselves become vectors for compromise when their validation logic contains bypassable restrictions.