Stored Cross-Site Scripting in Grav Admin Plugin
CVE-2025-66310

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66310?

A Stored Cross-Site Scripting vulnerability exists in the Grav Admin Plugin prior to version 1.11.0-beta.1, allowing malicious actors to inject harmful scripts via the data[header][template] parameter. The injected scripts are stored in the page's frontmatter and are executed whenever the compromised content is displayed, either in the administrative interface or the front end. This flaw could be exploited to execute unauthorized actions or extract sensitive information, highlighting the critical necessity for users to upgrade to the patched version.

Affected Version(s)

grav < 1.11.0-beta.1

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/99f65...

x_refsource_MISC

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

CVE-2025-66310 Data

JSON

Getgrav

What is CVE-2025-66310?

Affected Version(s)

References

CVSS V4

Timeline