CVE-2025-66311 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Grav content management system (CMS) admin plugin, specifically affecting versions prior to 1.11.0-beta.1. Grav is a flat-file CMS that uses an admin plugin providing an HTML user interface for configuring the system and managing pages. The vulnerability exists in the /admin/pages/[page] endpoint, where the application improperly neutralizes input in the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. An attacker with administrative privileges can inject malicious JavaScript code into these parameters, which is then stored persistently in the page frontmatter. When the affected page is accessed or rendered within the administrative interface, the malicious script executes automatically, potentially allowing session hijacking, privilege escalation, or other malicious actions within the admin context. The vulnerability requires authenticated access (administrator-level privileges) and some user interaction to trigger the payload execution. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so this is a discrepancy in the vector but the description clarifies admin privileges are needed), user interaction required (UI:A), low impact on confidentiality and integrity, no impact on availability, and high scope and security impact. No known exploits are currently reported in the wild. The issue was reserved on 2025-11-26 and published on 2025-12-01, with the fix introduced in version 1.11.0-beta.1 of the admin plugin.

For European organizations using Grav CMS with the vulnerable admin plugin versions, this stored XSS vulnerability poses a significant risk to the confidentiality and integrity of their administrative sessions and website content. An attacker who gains administrative access can inject malicious scripts that execute whenever the affected page is accessed in the admin interface, potentially leading to session hijacking, unauthorized content modification, or further compromise of the CMS environment. This can result in defacement, data leakage, or the deployment of additional malware. Since Grav is often used by small to medium enterprises and public sector websites in Europe due to its lightweight and flexible nature, the impact could affect a broad range of organizations, including government agencies, educational institutions, and businesses relying on Grav for content management. The requirement for administrative privileges limits the attack surface but does not eliminate risk, especially if credential compromise or insider threats exist. The vulnerability could also be leveraged in targeted attacks against high-value European entities using Grav, especially those with less mature security practices.

1. Immediate upgrade of the Grav admin plugin to version 1.11.0-beta.1 or later, where the vulnerability is fixed. 2. Implement strict access controls and multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. 3. Conduct regular audits of administrative user activity and page metadata to detect suspicious or unauthorized changes. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the admin interface. 5. Sanitize and validate all user inputs at the application level, especially metadata and taxonomy fields, to prevent injection of malicious content. 6. Limit the number of users with administrative privileges and enforce the principle of least privilege. 7. Monitor logs for unusual access patterns or repeated attempts to inject scripts. 8. Educate administrators about the risks of stored XSS and safe content management practices. 9. If upgrading immediately is not feasible, consider temporarily restricting access to the admin interface to trusted IP addresses or VPNs.