CVE-2025-66843 is a stored cross-site scripting (Stored XSS) vulnerability identified in Grav CMS versions prior to 1.7.49.5. Grav is a flat-file content management system widely used for website management. The vulnerability exists in the page editing functionality, where an authenticated user with low-level permissions to edit content can inject malicious JavaScript payloads into editable fields. These payloads are stored persistently on the server and executed in the browsers of any users who subsequently view or edit the affected page. This stored XSS attack vector enables attackers to perform actions such as session hijacking, credential theft, or unauthorized actions within the context of the victim’s browser session. The vulnerability requires the attacker to have authenticated access with content editing rights, and user interaction is necessary for the payload to execute. The CVSS v3.1 base score is 5.4, indicating medium severity, with an attack vector of network, low attack complexity, privileges required at the low level, and user interaction required. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. Confidentiality and integrity impacts are low, and availability is not affected. No public exploits or active exploitation in the wild have been reported to date. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations using Grav CMS, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions and data. Attackers with low-privileged content editing access can inject malicious scripts that execute in other users’ browsers, potentially leading to session hijacking, unauthorized actions, or data theft. This can undermine trust in affected websites, lead to data breaches, and facilitate further attacks such as privilege escalation or lateral movement. While availability is not impacted, the reputational damage and potential regulatory consequences under GDPR for data exposure could be significant. Organizations in sectors with high web presence such as media, government, education, and e-commerce are particularly at risk. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many content editors or weak internal access controls.

European organizations should immediately upgrade Grav CMS to version 1.7.49.5 or later where this vulnerability is patched. Until patching is possible, restrict content editing permissions strictly to trusted users and implement the principle of least privilege. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting Grav CMS. Conduct regular security training for content editors to recognize and avoid injecting unsafe content. Enable Content Security Policy (CSP) headers to limit the impact of any injected scripts. Monitor logs for unusual editing activity or unexpected script injections. Perform regular vulnerability scans and penetration tests focusing on web application security. Additionally, review and sanitize all user-generated content before publishing. Implement multi-factor authentication (MFA) for all users with editing privileges to reduce risk of compromised credentials.