NIXPKGS-2026-1513

GitHub issue published on

Permalink CVE-2026-42842

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 3 hours ago

grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.

References

https://github.com/getgrav/grav/security/advisories/GHSA-c2q3-p4jr-c55f x_refsource_CONFIRMexploit
https://github.com/getgrav/grav-plugin-form/commit/6bffb4c98be468a155d1656544ec45bb4a443957 x_refsource_MISC

Affected products

grav

==< 2.0.0-beta.2

grav-plugin-form

==< 9.1.0

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

nixos-unstable 1.7.50.3
- nixpkgs-unstable 1.7.50.3
- nixos-unstable-small 1.7.50.3
nixos-25.11 1.7.50.3
- nixos-25.11-small 1.7.50.3
- nixpkgs-25.11-darwin 1.7.50.3

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.stardust-xr-gravity

Utility to launch apps and stardust clients at an offet

nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3