PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55890 getgrav CVE debrief

CVE-2026-55890 is a stored XSS vulnerability in Grav, a file-based web platform, due to an incomplete fix for CVE-2026-42841. The issue allows an editor to save malicious Markdown image style parameters that are written into the rendered img style attribute without proper sanitization. This vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. Users of Grav versions prior to 2.0.0-rc.9 are affected and should update to the latest version to prevent potential XSS attacks. The CVE record was published on 2026-07-10T17:17:00.400Z and has not been modified since then.

Vendor
getgrav
Product
grav
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Grav versions prior to 2.0.0-rc.9 should update to the latest version to prevent potential XSS attacks. This includes operators, administrators, and security teams responsible for maintaining and securing Grav-based systems. They should review official advisories and CVE records for affected scope, severity, and vendor guidance.

Technical summary

The CVE-2026-55890 vulnerability is related to an incomplete fix for a stored XSS issue in Grav, a file-based web platform. The initial fix for CVE-2026-42841 did not fully address the issue, leaving the MediaObjectTrait::style method vulnerable to exploitation through Markdown excerpt-action pipelines. This allows an editor to save malicious Markdown image style parameters that are written into the rendered img style attribute without proper sanitization. The vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity.

Defensive priority

Medium priority given the CVSS score of 4.8 and the potential for XSS attacks.

Recommended defensive actions

  • Update Grav to version 2.0.0-rc.9 or later
  • Review and sanitize Markdown image style parameters
  • Monitor for suspicious activity and implement compensating controls
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its fix. Additional details can be found in the source references. The vulnerability is related to an incomplete fix for a stored XSS issue in Grav, a file-based web platform. The initial fix for CVE-2026-42841 did not fully address the issue, leaving the MediaObjectTrait::style method vulnerable to exploitation through Markdown excerpt-action pipelines. This allows an editor to save malicious Markdown image style parameters that are written into the rendered img style attribute without proper sanitization. Users should verify their deployments and review official advisories for affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:00.400Z and has not been modified since then.