CVE-2025-66843 is a stored cross-site scripting vulnerability identified in Grav CMS versions before 1.7.49.5. Grav is a flat-file content management system widely used for website content editing. The vulnerability resides in the page editing functionality, where an authenticated user with low-level permissions to edit content can inject malicious JavaScript payloads into editable fields. These payloads are stored persistently on the server and executed in the browsers of any users who subsequently view or edit the affected page. This stored XSS can be exploited to perform actions such as session hijacking, cookie theft, or redirecting users to malicious sites. The attack requires the attacker to have an authenticated session with content editing rights, which are typically granted to low-privileged users such as content editors or contributors. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability highlights the risk of insufficient input sanitization and output encoding in the Grav CMS page editor. Because the malicious script executes in the context of the victim’s browser, it can bypass same-origin policies and compromise user accounts or escalate privileges indirectly. The flaw is particularly dangerous in multi-user environments where many users have editing rights and access to sensitive administrative functions. The absence of a patch link suggests that users should upgrade to Grav 1.7.49.5 or later once available or apply any official security updates promptly. Organizations relying on Grav CMS for their web presence should audit user permissions and monitor for suspicious content injections.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications running Grav CMS. Attackers with low-level editing permissions can inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, unauthorized access, or data theft. This can result in reputational damage, regulatory non-compliance (especially under GDPR), and operational disruption. The stored nature of the XSS means the malicious payload persists until removed, increasing exposure time. Organizations with multiple content editors or contributors are at higher risk. Since Grav CMS is used by various public and private sector entities in Europe for website management, the vulnerability could be exploited to target government portals, educational institutions, and businesses. The impact on availability is limited but could be leveraged in combination with other attacks to disrupt services. The requirement for authentication limits exploitation to insiders or compromised accounts, but this does not diminish the threat in environments with weak access controls or insufficient user monitoring.

1. Upgrade Grav CMS to version 1.7.49.5 or later immediately once the patch is available to ensure the vulnerability is fixed. 2. Restrict content editing permissions strictly to trusted users and minimize the number of users with editing rights. 3. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. 4. Conduct regular audits of user accounts and permissions to detect and remove unnecessary privileges. 5. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting Grav CMS. 6. Monitor website content for unexpected script injections or anomalies in page content. 7. Educate content editors about the risks of injecting untrusted code and enforce input validation policies. 8. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 9. Regularly backup website content to enable quick restoration if malicious content is injected. 10. Stay informed about Grav CMS security advisories and apply updates promptly.