CVE-2025-65186
📋 TL;DR
Grav CMS 1.7.49 contains a stored cross-site scripting vulnerability in its page editor. Authenticated users can inject malicious JavaScript via <script> tags in Markdown content, which executes when other users view affected pages in the admin interface. This affects all Grav CMS installations running the vulnerable version.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could inject malicious scripts that steal admin session cookies, redirect users to phishing sites, or perform administrative actions on behalf of victims, potentially leading to complete site compromise.
Likely Case
An authenticated user with page editing privileges could inject scripts that execute in other administrators' browsers, potentially stealing their session tokens or performing unauthorized actions.
If Mitigated
With proper access controls limiting page editing to trusted users only, the impact is reduced to potential privilege escalation among authorized users.
🎯 Exploit Status
Exploitation requires authenticated access to the admin interface with page editing permissions. The vulnerability is simple to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.50 or later
Vendor Advisory: https://github.com/getgrav/grav
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav CMS to version 1.7.50 or later via the admin panel or command line. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Markdown Editor
allTemporarily disable the Markdown editor functionality to prevent script injection
Edit system.yaml to disable markdown editor or restrict access
Content Sanitization Filter
allImplement custom input sanitization for page content
Add custom filter to remove <script> tags from page content
🧯 If You Can't Patch
- Restrict page editing permissions to only essential trusted administrators
- Implement web application firewall rules to block script tag patterns in page content
🔍 How to Verify
Check if Vulnerable:
Check if running Grav CMS version 1.7.49 by examining the version in admin panel or checking grav/system/defines.phpCheck Version:
php bin/grav versionVerify Fix Applied:
Verify Grav CMS version is 1.7.50 or later and test that <script> tags in page content are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual page edit activity from authenticated users
- Admin interface requests containing script tags in parameters
Network Indicators:
- HTTP POST requests to admin pages with script content in payloads
SIEM Query:
source="grav_access.log" AND ("POST /admin/pages" AND "<script>")