CVE-2026-58657 in Gravinfo

Summary

by MITRE • 07/08/2026

Grav before 2.0.0 (affected through 2.0.0-rc.9 and the 2.0 branch) contains a stored CSS injection vulnerability in the Markdown image resize() media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute() fallbacks, but the resize() action in Excerpts::processMediaActions() writes caller-controlled values directly into the image's styleAttributes. A lower-privileged content editor who can edit page Markdown can store a crafted image URL with semicolon-delimited CSS declarations in the resize parameters, which are rendered into the final <img style=...> attribute when a higher-privileged reviewer/admin views the page or preview. This does not require JavaScript execution but enables UI redress/overlay and content-manipulation attacks (e.g., a full-viewport fixed overlay). Fixed in 2.0.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability exists within the Grav CMS platform affecting versions prior to 2.0.0, specifically through version 2.0.0-rc.9 and the 2.0 branch. The issue stems from a stored cross-site scripting flaw that occurs during Markdown image processing through the resize() media action functionality. The vulnerability arises in the Excerpts::processMediaActions() method where caller-controlled values are directly written into image styleAttributes without proper sanitization or validation. While the system implements prior hardening measures that reject direct ?style= payloads and unsafe attribute() fallbacks, these protections are bypassed specifically within the resize() action implementation.

The technical flaw represents a classic stored CSS injection vulnerability that allows malicious actors to inject arbitrary CSS declarations into image elements. When content editors with lower privileges create Markdown content containing crafted image URLs with semicolon-delimited CSS parameters in the resize functionality, these values are stored and later rendered into the final HTML <img style=...> attributes. This occurs when higher-privileged reviewers or administrators view the page or preview the content, making it a privilege escalation vector that leverages existing content creation capabilities. The vulnerability does not require JavaScript execution to be effective, relying instead on CSS-based attack vectors that can manipulate the user interface through UI redress and overlay techniques.

The operational impact of this vulnerability is significant as it enables attackers to perform various malicious activities through the stored CSS injection. Attackers can create full-viewport fixed overlays that obscure important interface elements or manipulate content presentation in ways that could deceive users or interfere with normal site operations. The vulnerability allows for UI redress attacks where legitimate interface elements become obscured or manipulated, potentially leading to phishing attempts or unauthorized actions by users who believe they are interacting with the actual site interface. Additionally, the stored nature of the injection means that victims do not need to be actively browsing when the malicious content is created, as the attack executes automatically when the affected page is rendered.

The vulnerability aligns with CWE-1021, which specifically addresses Improper Restriction of Rendered UI Layers or Frames, and represents a form of CSS injection that can be classified under ATT&CK technique T1546.1003 for Scripting with Stored XSS. Organizations using affected Grav versions should immediately implement the patch provided in version 2.0.0 which addresses this specific vulnerability by properly sanitizing and validating all user-provided values before incorporating them into styleAttributes. The mitigation strategy involves ensuring that all media processing functions properly validate input parameters and enforce strict sanitization of CSS values to prevent arbitrary declarations from being rendered in HTML attributes. Administrators should also consider implementing additional content validation measures and monitoring for unusual Markdown content patterns that might indicate attempts to exploit this vulnerability through crafted image URLs with malicious resize parameters.

Responsible

VulnCheck

Reservation

07/01/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!