This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66311.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-79"
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:getgrav:grav-plugin-admin:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.50"
}
]
}