CVE-2025-66310 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Grav content management system's admin plugin, specifically affecting versions prior to 1.11.0-beta.1. The vulnerability exists in the /admin/pages/[page] endpoint, where the data[header][template] parameter is improperly sanitized, allowing an attacker to inject malicious JavaScript code into the page's frontmatter metadata. This injected script is persistently stored and executed automatically whenever the affected page is rendered either in the administrative interface or on the frontend, potentially compromising the confidentiality and integrity of the application and its users. The vulnerability requires an attacker to have high privileges (administrator-level access) and user interaction to trigger the malicious script execution. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), but high privileges (PR:H) and user interaction (UI:A) are necessary. The impact on confidentiality and integrity is low, but the scope is high due to the potential for script execution in multiple contexts. No known exploits have been reported in the wild as of the publication date. The vulnerability was publicly disclosed on December 1, 2025, and fixed in version 1.11.0-beta.1 of the Grav admin plugin. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation leading to XSS attacks.

For European organizations using Grav CMS, particularly those with administrative interfaces exposed or accessible by multiple users, this vulnerability poses a risk of persistent XSS attacks. Exploitation could allow attackers to execute arbitrary scripts in the context of the admin interface or frontend, leading to session hijacking, unauthorized actions, defacement, or distribution of malware. Organizations handling sensitive data or operating in regulated sectors (e.g., finance, healthcare, government) could face reputational damage, regulatory penalties, and operational disruption. The requirement for high privileges limits the attack surface to insiders or compromised accounts, but the stored nature of the XSS increases the risk of widespread impact once injected. Given Grav's popularity among European small to medium enterprises and public sector websites, the vulnerability could affect a broad range of entities. The medium CVSS score reflects moderate risk, but the potential for chained attacks or privilege escalation increases concern. Lack of known exploits reduces immediate threat but should not delay remediation.

European organizations should immediately upgrade Grav admin plugins to version 1.11.0-beta.1 or later to apply the official patch. Until patched, restrict administrative access to trusted users and networks, implementing strong authentication and session management controls. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. Conduct thorough input validation and sanitization on all user-supplied data, especially metadata fields like data[header][template]. Regularly audit and monitor administrative pages for unauthorized content or script injections. Implement web application firewalls (WAFs) with rules targeting XSS payloads specific to Grav CMS. Educate administrators on phishing and social engineering risks that could lead to credential compromise. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.