CVE-2025-66309 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the Grav content management system's admin plugin, specifically affecting versions prior to 1.11.0-beta.1. The vulnerability resides in the /admin/pages/[page] endpoint, where the parameter data[header][content][items] is not properly neutralized before being reflected in the HTML response. This improper input sanitization allows an attacker with authenticated access to inject malicious JavaScript code that executes in the context of the admin user's browser. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, but the vector states PR:H which is high privileges required), user interaction required (UI:A), low impact on confidentiality and integrity, no impact on availability, and high scope and impact on security requirements. The vulnerability is fixed in version 1.11.0-beta.1 of Grav. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of session hijacking, unauthorized actions, or defacement within the admin interface, potentially compromising the integrity and confidentiality of the managed content. The attack requires an authenticated user to interact with a crafted link or input, limiting the attack surface but still posing a significant risk in environments where multiple users have admin access or where phishing attacks could be used to lure admins into executing malicious payloads.

For European organizations, this vulnerability can lead to unauthorized administrative actions, data manipulation, or leakage of sensitive information managed via Grav CMS. Since the vulnerability requires authenticated access, the risk is heightened in organizations with multiple administrators or weak internal access controls. Exploitation could result in defacement of websites, injection of malicious content affecting end users, or compromise of administrative credentials through session hijacking. This could damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and cause operational disruptions. Public sector entities, media companies, and e-commerce platforms using Grav for content management are particularly at risk. The medium severity rating reflects the balance between the need for authentication and the potential impact on confidentiality and integrity.

1. Upgrade Grav CMS to version 1.11.0-beta.1 or later immediately to apply the official patch addressing this XSS vulnerability. 2. Restrict administrative access to trusted IP ranges and enforce strong multi-factor authentication (MFA) to reduce the risk of compromised credentials. 3. Implement strict Content Security Policies (CSP) to limit the execution of unauthorized scripts within the admin interface. 4. Conduct regular security audits and penetration tests focusing on the admin interface to detect any residual or related vulnerabilities. 5. Educate administrators about phishing risks and safe browsing practices to prevent social engineering attacks that could exploit this vulnerability. 6. Monitor logs for unusual admin activity or repeated access attempts to the vulnerable endpoint. 7. If immediate upgrade is not possible, consider disabling or restricting access to the /admin/pages/[page] endpoint or sanitizing inputs at the web application firewall (WAF) level to block malicious payloads targeting the data[header][content][items] parameter.