Login Sign Up

CVE-2025-66309

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This reflected XSS vulnerability in Grav's admin plugin allows attackers to inject malicious scripts via the data[header][content][items] parameter in the /admin/pages/[page] endpoint. When exploited, it can lead to session hijacking, credential theft, or unauthorized admin actions. Only Grav installations with the admin plugin enabled and accessible to attackers are affected.

💻 Affected Systems

Products:
  • Grav CMS with admin plugin
Versions: All versions prior to 1.11.0-beta.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin plugin enabled and accessible endpoint.

📦 What is this software?

Grav Plugin Admin by Getgrav

View all CVEs affecting Grav Plugin Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control over the Grav CMS, leading to complete site compromise, data theft, or malware distribution to visitors.

🟠

Likely Case

Attacker steals admin session cookies or credentials, leading to unauthorized content modification or privilege escalation.

🟢

If Mitigated

Attack fails due to input validation, output encoding, or lack of admin access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access or tricking an admin into clicking a malicious link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.0-beta.1

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq

Restart Required: No

Instructions:

1. Update Grav admin plugin to version 1.11.0-beta.1 or later via Grav's GPM (Grav Package Manager). 2. Run 'bin/gpm update' from command line. 3. Clear Grav cache if needed.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation for the data[header][content][items] parameter to sanitize script tags.

Restrict Admin Access

all

Limit admin panel access to trusted IP addresses via web server configuration.

🧯 If You Can't Patch

  • Disable admin plugin if not required.
  • Implement WAF rules to block XSS payloads in the vulnerable parameter.

🔍 How to Verify

Check if Vulnerable:

Check admin plugin version in Grav admin panel under 'Plugins' or via command line: 'bin/gpm list'.

Check Version:

bin/gpm list | grep admin

Verify Fix Applied:

Confirm admin plugin version is 1.11.0-beta.1 or higher. Test the /admin/pages/[page] endpoint with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /admin/pages/ with script tags in parameters.
  • Admin login attempts from unexpected IPs after XSS exploitation.

Network Indicators:

  • HTTP requests containing <script> tags in data[header][content][items] parameter.

SIEM Query:

http.uri:"/admin/pages/" AND http.method:POST AND http.param:*script*

📊 Metadata

CVE ID: CVE-2025-66309
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (14.7th percentile)
Published: December 1, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66309, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)