๐Ÿ” CVE Alert

CVE-2026-58657

MEDIUM 4.8

Grav - Stored CSS Injection via Markdown Image resize() Action

CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
0th

Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.

CWE CWE-79
Vendor grav
Product grav
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for grav grav

Be the first to know when new medium vulnerabilities affecting grav grav are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

Grav / Grav
2.0.0-rc.9 < 2.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getgrav/grav/security/advisories/GHSA-ffmg-hfvg-jhg9 github.com: https://github.com/getgrav/grav/commit/6582166173bb8eb5869d96aea384e0e73777c94c github.com: https://github.com/getgrav/grav/commit/e03d29aa0d3ece16d73c1ffccfa78df8bf5f28b8 vulncheck.com: https://www.vulncheck.com/advisories/grav-stored-css-injection-via-markdown-image-resize-action

Credits

๐Ÿ” DavidCarliez