CVE-2025-66843 – Grav CMS versions before 1.7.49.5 contain a sto... (How to Fix)

Q: What is the severity of CVE-2025-66843?

CVE-2025-66843 has a CVSS score of 5.4 (MEDIUM). Grav CMS versions before 1.7.49.5 contain a stored cross-site scripting vulnerability in page editing functionality. Authenticated users with content editing permissions can inject malicious JavaScript that executes when other users view or edit affected pages. This affects all Grav installations with user accounts that have edit permissions.

📋 TL;DR

Grav CMS versions before 1.7.49.5 contain a stored cross-site scripting vulnerability in page editing functionality. Authenticated users with content editing permissions can inject malicious JavaScript that executes when other users view or edit affected pages. This affects all Grav installations with user accounts that have edit permissions.

💻 Affected Systems

Products:

Grav CMS

Versions: All versions before 1.7.49.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with page editing permissions. Admin plugin must be enabled for user management.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal administrator session cookies, perform actions as other users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers with low-privileged accounts could steal session tokens from administrators or other users, potentially escalating privileges.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with edit permissions. Public proof-of-concept demonstrates basic XSS payload injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.49.5

Vendor Advisory: https://github.com/getgrav/grav/releases/tag/1.7.49.5

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update Grav core via GPM: 'bin/gpm selfupgrade'. 3. Update plugins: 'bin/gpm update'. 4. Clear cache: 'bin/grav clear-cache'.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to sanitize HTML content in page editing fields

Implement custom validation in user/plugins/admin/blueprints.yaml or custom plugin

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact

Add 'Content-Security-Policy' header with script-src directives

🧯 If You Can't Patch

Restrict page editing permissions to trusted administrators only
Implement web application firewall rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check Grav version in system.yaml or via CLI: 'bin/grav version'

Check Version:

bin/grav version

Verify Fix Applied:

Confirm version is 1.7.49.5 or later and test page editing with XSS payloads

📡 Detection & Monitoring

Log Indicators:

Unusual content edits containing script tags or JavaScript
Multiple failed login attempts followed by content edits

Network Indicators:

Unexpected outbound connections from admin interface
Suspicious POST requests to page editing endpoints

SIEM Query:

source="grav-logs" AND ("script" OR "javascript" OR "onclick" OR "onload") AND event="page_edit"

📊 Metadata

CVE ID: CVE-2025-66843

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: December 15, 2025

Last Updated: December 17, 2025

🔗 References

https://github.com/Yohane-Mashiro/grav_cve/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://github.com/Yohane-Mashiro/grav_cve/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66843, you might also want to check these: