CVE-2026-42842: Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin’s select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator’s browser session when they view or edit any page in the admin panel.

Additionally, Grav’s built-in XSS detection (Security::detectXss()) can be bypassed by using payloads that close the <option>/<select> context and use unquoted event handlers - the on_events regex fails to match event handlers without quotes or trailing spaces before >.