CVE-2025-66311 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Grav CMS admin plugin, specifically affecting versions prior to 1.11.0-beta.1. Grav is a flat-file content management system that uses an admin plugin to provide a user-friendly HTML interface for configuring the system and managing content. The vulnerability resides in the /admin/pages/[page] endpoint, where user-supplied input in the parameters data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] is not properly sanitized or neutralized before being stored in the page frontmatter. This improper input handling allows attackers with administrative privileges to inject malicious JavaScript code that is persistently stored and executed whenever the affected page is accessed or rendered within the administrative interface. The vulnerability leverages CWE-79, indicating improper neutralization of input during web page generation. Exploitation requires an attacker to have authenticated access with high privileges to the Grav admin panel and involves user interaction to trigger the malicious script execution. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no attack prerequisites (AT:N), high privileges required (PR:H), user interaction required (UI:A), low impact on confidentiality and integrity (VC:L, VI:L), no impact on availability (VA:N), and high scope and impact on security and safety (SC:H, SI:H, SA:H). Although no known exploits are reported in the wild, the vulnerability poses a significant risk to administrative users and the integrity of the CMS environment. The issue is addressed in Grav admin plugin version 1.11.0-beta.1 by implementing proper input validation and sanitization to prevent script injection.

For European organizations using Grav CMS with the vulnerable admin plugin versions, this stored XSS vulnerability can lead to significant security risks. An attacker with administrative access could inject malicious scripts that execute in the context of the admin interface, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. This compromises the confidentiality and integrity of the CMS and its managed content. Given that Grav is used by small to medium enterprises and developers valuing lightweight CMS solutions, organizations relying on it for public-facing websites or internal portals may face defacement, data manipulation, or further lateral attacks within their networks. The requirement for high privileges limits the attack surface but insider threats or compromised admin accounts increase risk. The vulnerability could also be leveraged as a foothold for supply chain attacks if attackers modify content or configurations. The impact on availability is minimal, but the reputational damage and potential data breaches could be substantial. European organizations in sectors such as media, education, and government that use Grav may be particularly sensitive to such compromises, especially under GDPR regulations concerning data protection and breach notification.

European organizations should immediately upgrade the Grav admin plugin to version 1.11.0-beta.1 or later to apply the official fix. Until the upgrade is possible, restrict administrative access to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Implement strict input validation and sanitization on all user inputs at the application level, especially for metadata and taxonomy fields, to prevent injection of malicious scripts. Regularly audit and monitor admin interface logs for unusual activities or unexpected content changes in page frontmatter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the admin interface. Conduct periodic security training for administrators to recognize phishing and social engineering attempts that could lead to account compromise. Additionally, isolate the Grav admin interface behind VPNs or IP whitelisting to reduce exposure. Backup Grav content and configurations regularly to enable quick restoration if an attack occurs. Finally, consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable parameters.