Featured image of post CVE-2025-66311
XSS Moderate Grav Security WebApp

CVE-2025-66311

Cross-Site Scripting (XSS) Stored

CVE-2025-66311: Cross-Site Scripting (XSS) Stored Endpoint /admin/pages/[page] in Multiples Parameters

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-66311

Summary

Multiples Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category] and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.

Details

Vulnerable Endpoint: POST /admin/pages/[page]

Parameters: data[header][metadata], data[header][taxonomy][category] and data[header][taxonomy][tag]

The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.

PoC

Payload:

1

<script>alert('PoC-XXS51')</script>

Steps to Reproduce:

  • Log into the Grav Admin Panel and navigate to Pages.
  • Create or edit a page.
  • Inject the payload above into any of the following fields in the Options tab: Metadata key name; Category under Taxonomy; Tag under Taxonomy:

  • Save the page.

When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the Stored XSS vulnerability.

Impact

  • Stealing session cookies: Attackers can use stolen session cookies to hijack a user's session and perform actions on their behalf.
  • Downloading malware: Attackers can trick users into downloading and installing malware on their computers.
  • Hijacking browsers: Attackers can hijack a user's browser or deliver browser-based exploits.
  • Stealing credentials: Attackers can steal a user's credentials.
  • Obtaining sensitive information: Attackers can obtain sensitive information stored in a user's account or in their browser.
  • Defacing websites: Attackers can deface a website by altering its content.
  • Misdirecting users: Attackers can change the instructions given to users who visit the target website, misdirecting their behavior.
  • Damaging a business's reputation: Attackers can damage a business's image or spread misinformation by defacing a corporate website.

Reference

https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2026 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy