This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1.
References
| Link | Resource |
|---|---|
| https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 | Patch |
| https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f | Exploit Vendor Advisory |
| https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f | Exploit Vendor Advisory |
Configurations
History
03 Dec 2025, 21:56
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| CPE | cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:* | |
| First Time |
Getgrav grav-plugin-admin
Getgrav |
|
| References | () https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 - Patch | |
| References | () https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f - Exploit, Vendor Advisory |
02 Dec 2025, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f - |
01 Dec 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-01 22:15
Updated : 2025-12-03 21:56
NVD link : CVE-2025-66308
Mitre link : CVE-2025-66308
CVE.ORG link : CVE-2025-66308
JSON object : View
Products Affected
getgrav
- grav-plugin-admin
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')