CVE-2025-66308 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Grav CMS admin plugin, specifically in versions prior to 1.11.0-beta.1. The vulnerability exists in the /admin/config/site endpoint, where the data[taxonomies] parameter is improperly sanitized, allowing attackers to inject malicious JavaScript payloads. These payloads are stored persistently on the server and executed automatically in the browsers of users who access the affected site configuration page, resulting in a persistent XSS attack vector. This flaw stems from CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires an attacker to have high-level privileges (authenticated with high privileges) and some user interaction, such as an administrator visiting the compromised configuration page. The vulnerability impacts the confidentiality and integrity of the affected system by enabling script execution in trusted contexts, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The CVSS 4.0 score of 6.8 reflects a medium severity, with network attack vector, low attack complexity, partial authentication required, and user interaction needed. No public exploits have been reported yet, but the risk remains significant for organizations using vulnerable Grav versions. The issue was addressed and fixed in Grav version 1.11.0-beta.1.

For European organizations using Grav CMS, this vulnerability poses a risk of persistent XSS attacks that can compromise administrative accounts and site integrity. Successful exploitation could lead to session hijacking, unauthorized configuration changes, or distribution of malicious content to site administrators. This can result in data breaches, defacement, or further compromise of internal systems. Since Grav is often used by small to medium enterprises and public sector websites for content management, the impact includes potential disruption of services and reputational damage. The requirement for high privilege authentication limits exposure to insider threats or attackers who have already gained partial access, but the persistent nature of the attack increases the risk of lateral movement and prolonged compromise. Organizations with public-facing Grav admin interfaces are particularly vulnerable if access controls are weak or if administrators access the interface from insecure environments.

European organizations should promptly update Grav CMS to version 1.11.0-beta.1 or later to remediate this vulnerability. Additionally, implement strict access controls to limit administrative interface exposure, such as IP whitelisting, VPN access, or multi-factor authentication for admin users. Regularly audit and sanitize all user inputs, especially in configuration endpoints, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor logs for unusual activity around the /admin/config/site endpoint and review stored taxonomy data for suspicious content. Educate administrators on the risks of clicking unknown links or opening untrusted pages within the admin interface. Finally, conduct periodic security assessments and penetration tests focusing on web application vulnerabilities to detect similar issues proactively.