CVE-2025-66843

MEDIUM

Grav < 1.7.49.5 - Authenticated Stored Cross-Site Scripting in Page Editing Functionality

Title source: llm

Description

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.

References (1)

Core 1

Core References

Exploit, Issue Tracking, Third Party Advisory

https://github.com/Yohane-Mashiro/grav_cve/issues/1

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 3.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

getgrav/grav < 1.7.49.5

getgrav/grav 0Packagist

Published Dec 15, 2025

Tracked Since Feb 18, 2026