CVE-2025-66310 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Grav CMS admin plugin prior to version 1.11.0-beta.1. The vulnerability arises from improper neutralization of user input in the data[header][template] parameter at the /admin/pages/[page] endpoint. An attacker with authenticated access can inject malicious JavaScript code into the page's frontmatter metadata, which is then stored persistently. When the affected page is rendered either in the administrative interface or on the frontend, the malicious script executes automatically. This can lead to a range of attacks including session hijacking, unauthorized administrative actions, or further exploitation of the system. The vulnerability requires an attacker to have authenticated privileges and some user interaction, which limits remote exploitation but does not eliminate risk, especially in environments with multiple administrators or compromised credentials. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required (though the description states PR:H, meaning high privileges required, which suggests some discrepancy), user interaction required, and low impact on confidentiality and integrity but high scope and availability impact. The vulnerability is fixed in Grav version 1.11.0-beta.1. No public exploits have been reported yet, but the stored nature of the XSS makes it particularly dangerous in administrative contexts where sensitive operations occur.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of websites and administrative interfaces running Grav CMS. Exploitation could allow attackers to execute arbitrary scripts within the context of the admin interface, potentially leading to session hijacking, unauthorized content modification, or privilege escalation. This could result in defacement, data leakage, or disruption of services. Organizations with multiple administrators or less stringent access controls are at higher risk. Since Grav is used by various public sector, educational, and private entities in Europe for content management, the impact could extend to critical information systems and public-facing websites. The stored XSS can also facilitate supply chain attacks if attackers inject malicious code that propagates to end users. The medium CVSS score reflects moderate risk, but the administrative context elevates the potential damage. The lack of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

European organizations should immediately upgrade Grav CMS to version 1.11.0-beta.1 or later to remediate this vulnerability. In addition to patching, implement strict input validation and sanitization on all user-supplied data, especially metadata fields like data[header][template]. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Limit administrative access to trusted users and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Regularly audit and monitor administrative actions and logs for suspicious behavior. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to Grav CMS. Educate administrators about the risks of XSS and safe content management practices. Finally, conduct periodic security assessments and penetration testing focusing on CMS components to detect similar vulnerabilities early.