CVE-2025-66309 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Grav CMS admin plugin, specifically affecting versions prior to 1.11.0-beta.1. Grav is a flat-file content management system widely used for website management, and its admin plugin provides a web-based interface for content creation and configuration. The vulnerability resides in the /admin/pages/[page] endpoint, where the application fails to properly sanitize or neutralize user-supplied input in the data[header][content][items] parameter. This improper input handling allows an attacker to inject malicious JavaScript code that is reflected back in the HTTP response, leading to script execution in the context of the admin user's browser. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H), user interaction required (UI:A), and low impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. Although exploitation requires user interaction and some level of privileges, the reflected nature of the XSS can be leveraged in phishing or social engineering attacks to compromise administrative sessions or steal sensitive information. The flaw was addressed and fixed in Grav admin plugin version 1.11.0-beta.1. No public exploits or widespread attacks have been reported to date, but the vulnerability poses a risk to organizations relying on Grav CMS for website management, especially those with exposed admin interfaces.

For European organizations, this vulnerability could lead to unauthorized script execution within the administrative interface of Grav CMS, potentially resulting in session hijacking, credential theft, or unauthorized configuration changes. Given that Grav is used by various small to medium enterprises and web developers across Europe, exploitation could disrupt website management and compromise sensitive content. The reflected XSS could be used as a vector for targeted phishing campaigns against administrators, increasing the risk of broader compromise. While the impact on core infrastructure is limited, the confidentiality and integrity of website content and administrative credentials are at risk. Organizations with public-facing Grav admin panels are particularly vulnerable. The medium severity rating reflects the moderate risk, but the ease of exploitation combined with the potential for privilege escalation or lateral movement in a compromised environment elevates the threat. Additionally, the vulnerability could be leveraged as a foothold for further attacks within an organization's network if administrative credentials are stolen.

European organizations using Grav CMS should immediately upgrade the admin plugin to version 1.11.0-beta.1 or later to remediate the vulnerability. In addition to patching, organizations should implement strict input validation and output encoding on all user-supplied data within the admin interface to prevent XSS. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. Limit access to the Grav admin panel by IP whitelisting or VPN to reduce exposure to external attackers. Enable multi-factor authentication (MFA) for administrative accounts to mitigate the risk of credential theft. Regularly audit and monitor web server logs for suspicious requests targeting the /admin/pages/[page] endpoint. Conduct security awareness training for administrators to recognize and avoid phishing attempts that could exploit this vulnerability. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting Grav CMS endpoints.