Stored Cross-Site Scripting Vulnerability in Grav Admin Plugin
CVE-2025-66308

6.8MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66308?

A Stored Cross-Site Scripting vulnerability exists in the Grav Admin Plugin prior to version 1.11.0-beta.1. This issue allows attackers to inject malicious scripts through the data[taxonomies] parameter at the /admin/config/site endpoint. The malicious payload is stored on the server and executed in the browser of users who view the site configuration, leading to persistent security risks. This vulnerability has been addressed in the latest plugin release.

Affected Version(s)

grav < 1.11.0-beta.1

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/99f65...

x_refsource_MISC

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66308?

Affected Version(s)

References

CVSS V4

Timeline