CVE-2025-66310

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.11.0-beta.1

Description The Grav admin plugin, an HTML user interface for configuring Grav and managing pages, contains a Stored Cross-Site Scripting (XSS) issue. An attacker can inject malicious scripts into the data[header][template] parameter of the /admin/pages/[page] API endpoint. The injected script is stored in the page's frontmatter and automatically executed when the content is rendered in the administrative interface or frontend view.

Recommendations Update to Grav version 1.11.0-beta.1 or later.