CVE-2025-66311 – Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters

CVE ID : CVE-2025-66311

Published : Dec. 1, 2025, 10:05 p.m. | 20 minutes ago

Description : This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-66448 – vLLM vulnerable to remote code execution via transformers_utils/get_config

CVE-2025-66415 – fastify-reply-from bypass of reply forwarding

CVE-2025-66412 – Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

CVE-2025-66410 – Gin-vue-admin has an arbitrary file deletion vulnerability