Stored Cross-Site Scripting Vulnerability in Grav Admin Plugin
CVE-2025-66312

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66312?

The Grav admin plugin, a vital interface for managing Grav applications, is susceptible to a Stored Cross-Site Scripting vulnerability. When unpatched versions are utilized, specifically before 1.11.0-beta.1, attackers can manipulate the /admin/accounts/groups/Grupo endpoint to inject harmful scripts into the data[readableName] parameter. Once embedded, these scripts are stored on the server and executed in user sessions, leading to severe security implications for site visitors. Immediate updates to the plugin are essential to mitigate this risk.

Affected Version(s)

grav < 1.11.0-beta.1

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav-plugin-admin/commit/99f65...

x_refsource_MISC

CVSS V4

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66312?

Affected Version(s)

References

CVSS V4

Timeline