Stored XSS Vulnerability in Admin Plugin for Grav by GetGrav
CVE-2025-66311

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66311?

A vulnerability exists in the admin plugin for Grav that permits the injection of malicious scripts through specific parameters in the application's user interface. This stored XSS vulnerability allows attackers to manipulate data within the page frontmatter and execute crafted scripts automatically whenever the affected pages are accessed. The issue was resolved in version 1.11.0-beta.1, reinforcing the importance of using updated software to mitigate such risks effectively.

Affected Version(s)

grav < 1.11.0-beta.1

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/99f65...

x_refsource_MISC

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66311?

Affected Version(s)

References

CVSS V4

Timeline