NIXPKGS-2026-1530

GitHub issue published on

Permalink CVE-2026-42841

6.9 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): High (H)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): High (H)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): High (H)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 3 hours ago

Grav: Stored XSS via Markdown media attribute() action in Grav CMS

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.

References

https://github.com/getgrav/grav/security/advisories/GHSA-r7fx-8g49-7hhr x_refsource_CONFIRMexploit
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663 x_refsource_MISC

Affected products

grav

==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

nixos-unstable 1.7.50.3
- nixpkgs-unstable 1.7.50.3
- nixos-unstable-small 1.7.50.3
nixos-25.11 1.7.50.3
- nixos-25.11-small 1.7.50.3
- nixpkgs-25.11-darwin 1.7.50.3

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.stardust-xr-gravity

Utility to launch apps and stardust clients at an offet

nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3