Reflected Cross-Site Scripting Vulnerability in Grav Admin Plugin
CVE-2025-66309

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66309?

The Grav Admin Plugin, which provides an HTML user interface for configuring and managing the Grav application, has a Reflected Cross-Site Scripting (XSS) vulnerability in the /admin/pages/[page] endpoint. This vulnerability can be exploited by attackers to inject malicious scripts through the data[header][content][items] parameter, potentially compromising the security of affected setups. The issue has been resolved in versions 1.11.0-beta.1 and later, emphasizing the necessity for users to update their installations promptly.

Affected Version(s)

grav < 1.11.0-beta.1

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/99f65...

x_refsource_MISC

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66309?

Affected Version(s)

References

CVSS V4

Timeline