CVE-2025-66312

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.11.0-beta.1

Description The Grav admin plugin, an HTML user interface for configuring Grav and managing pages, contains a Stored Cross-Site Scripting (XSS) issue. The vulnerability exists in the /admin/accounts/groups/Grupo API endpoint, specifically within the data[readableName] parameter. Successful exploitation allows attackers to inject malicious scripts that are stored on the server and executed when users access the affected page.

Recommendations Update to Grav version 1.11.0-beta.1 or later.