CVE-2025-66308 – Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

CVE ID : CVE-2025-66308

Published : Dec. 1, 2025, 10 p.m. | 25 minutes ago

Description : This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2025-66448 – vLLM vulnerable to remote code execution via transformers_utils/get_config

CVE-2025-66415 – fastify-reply-from bypass of reply forwarding

CVE-2025-66412 – Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

CVE-2025-66410 – Gin-vue-admin has an arbitrary file deletion vulnerability