CVE-2025-66309

EPSS 0.03%

Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Published: 12/2/2025Modified: 12/2/2025

Also known as:GHSA-65mj-f7p4-wggq

Description

## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][content][items]` parameter. --- ## Details **Vulnerable Endpoint:** `GET /admin/pages/[page]` **Parameter:** `data[header][content][items]` The application fails to properly validate and sanitize user input in the `data[header][content][items]` parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session. --- ## PoC **Payload:** `"><ImG sRc=x OnErRoR=alert('XSS-PoC3')>` 1. Log in to the _Grav_ Admin Panel and navigate to **Pages**. 2. Create a new page or edit an existing one. 3. In the **Advanced > Blog Config > Items** field (which maps to `data[header][content][items]`), insert the payload above. ![image](https://github.com/user-attachments/assets/ae77d92a-2e09-4b67-b3ae-5e317b9d518f) 4. Save the page. 5. The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser. ![image](https://github.com/user-attachments/assets/328b0714-750a-421d-ad5e-ea7f148dca8f) --- ## Impact Reflected cross-site scripting (XSS) attacks can have serious consequences, including: - **User actions:** Attackers can perform actions on behalf of the user - **Data theft:** Sensitive information such as session cookies can be stolen - **Account compromise:** Attackers may impersonate legitimate users - **Malicious code execution:** Arbitrary JavaScript code can run in the user’s browser - **Website defacement or misinformation:** Malicious output may be injected visually - **User redirection:** Victims may be redirected to phishing or malicious websites by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)

Affected packages (1)

Packagist/getgrav/gravfrom 0, < 1.8.0-beta.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H

Description

Affected packages (1)

CVSS scores

References (4)