CVE-2025-66308 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Grav CMS admin plugin, specifically affecting versions prior to 1.11.0-beta.1. Grav is a flat-file content management system widely used for website creation and management. The vulnerability resides in the /admin/config/site endpoint, where the data[taxonomies] parameter fails to properly neutralize user input during web page generation, classified under CWE-79. An attacker with authenticated access and high privileges can inject malicious JavaScript code into this parameter. Because the payload is stored on the server, it executes persistently in the browsers of any users who access the affected site configuration interface, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the admin panel. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial authentication required (AT:P), high privileges (PR:H), user interaction needed (UI:A), and high impact on confidentiality and integrity (VC:H, VI:N, VA:N). No known public exploits exist yet, but the vulnerability is significant due to the persistent nature of the XSS and the administrative context. The issue was resolved in Grav version 1.11.0-beta.1 by properly sanitizing the input to prevent script injection.

For European organizations using Grav CMS versions prior to 1.11.0-beta.1, this vulnerability poses a risk of persistent XSS attacks within the administrative interface. Successful exploitation could lead to session hijacking of admin users, unauthorized changes to site configuration, and potential deployment of further malicious payloads. This undermines the confidentiality and integrity of the website management environment. Given Grav’s use in various sectors including government, education, and small to medium enterprises across Europe, exploitation could disrupt critical web services or lead to data breaches. The requirement for authenticated high-privilege users limits the attack surface but insider threats or compromised credentials could facilitate exploitation. The persistent nature of the XSS increases the risk of ongoing compromise until patched. Additionally, attackers could leverage this vulnerability to pivot to other internal systems or escalate privileges further.

European organizations should immediately upgrade Grav CMS to version 1.11.0-beta.1 or later to remediate this vulnerability. Until patching is possible, restrict administrative access to trusted users and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the admin interface. Regularly audit and monitor admin panel activity for unusual behavior indicative of exploitation attempts. Sanitize and validate all user inputs in custom plugins or extensions to prevent similar injection flaws. Consider isolating the admin interface behind VPN or IP allowlists to minimize exposure. Finally, educate administrators about phishing and social engineering risks that could lead to credential theft enabling exploitation.