Grav XSS Vulnerability (CVE-2026-42612) Allows Publisher Account Takeover

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
Grav XSS Vulnerability (CVE-2026-42612) Allows Publisher Account Takeover

The National Vulnerability Database has detailed CVE-2026-42612, a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting Grav, a file-based web platform. This flaw, present in versions prior to 2.0.0-beta.2, allows authenticated publisher-level accounts to execute arbitrary JavaScript. The root cause is a blacklist bypass within the detectXss() function, specifically when processing unquoted HTML event attributes.

This isn’t just a minor annoyance; it’s a critical bypass. A publisher-level account gaining arbitrary JavaScript execution means full session hijacking, data exfiltration, or even further privilege escalation within the Grav environment. Attackers don’t need to be administrators; they just need a foothold at a publisher level, which is a significantly lower bar. The National Vulnerability Database assigns this a CVSS score of 8.5 (HIGH), underscoring the severity.

Defenders running Grav installations must prioritize patching. The fix is available in Grav version 2.0.0-beta.2. Given the ease of exploitation by a privileged user and the significant impact, leaving this unpatched is an invitation for internal compromise. Review your Grav deployment for any lingering older versions immediately.

What This Means For You

  • If your organization uses Grav, you need to verify your version immediately. This XSS vulnerability (CVE-2026-42612) allows a publisher-level account to execute arbitrary JavaScript, which is a direct path to session hijacking and data compromise. Patch to version 2.0.0-beta.2 or newer without delay. Audit publisher accounts for any suspicious activity if you were running vulnerable versions.

Indicators of Compromise

IDTypeIndicator
CVE-2026-42612 XSS getgrav/grav prior to version 2.0.0-beta.2
CVE-2026-42612 XSS Stored Cross-Site Scripting (XSS) via blacklist bypass in detectXss() function
CVE-2026-42612 XSS Vulnerable to unquoted HTML event attributes

Written by SCW Vulnerability Desk

🔎
Track Latest Vulnerability Intelligence Use /brief to get an analyst-ready weekly threat summary with severity rankings and key IOCs.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 19:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable

CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs

CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-184
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver

CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...

vulnerabilityCVEhigh-severitycode-executioncwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 5 IOCs /⚙ 3 Sigma