Overview CVE-2025-66309 identifies a Reflected Cross-Site Scripting (XSS) vulnerability in the Grav Admin Plugin, a popular tool used for managing Grav CMS installations. Specifically, the vulnerability affects versions prior to 1.11.0-beta.1. This flaw allows attackers to inject malicious JavaScript code into user sessions via a crafted URL. It’s crucial to update your Grav Admin Plugin to version 1.11.0-beta.1 or later to mitigate this risk. Technical Details The vulnerability resides within the /admin/pages/[page] endpoint of the Grav application. An attacker can inject malicious scripts through the data[header][content][items] parameter. When a Grav administrator accesses a specially crafted URL, the injected script is…

Overview CVE-2025-66308 identifies a stored Cross-Site Scripting (XSS) vulnerability present in the Admin Plugin for Grav, a popular flat-file CMS. This vulnerability allows attackers to inject malicious JavaScript code into the application’s configuration, which is then executed in the browsers of administrators who access the site’s configuration settings. This poses a significant security risk and requires immediate attention. Technical Details The vulnerability resides in the /admin/config/site endpoint of the Grav application when using a vulnerable version of the Admin plugin. Specifically, the data[taxonomies] parameter is susceptible to malicious input. An attacker can inject arbitrary HTML and JavaScript code into this…

Overview CVE-2025-66307 is a medium severity vulnerability affecting the Admin Plugin for Grav CMS. This vulnerability allows attackers to enumerate valid usernames and disclose associated email addresses. The issue stems from the “Forgot Password” functionality, where distinct server responses reveal whether a provided username exists within the system. Technical Details The vulnerability resides in the /admin/forgot endpoint of the Grav Admin Plugin. By sending requests to this endpoint with different usernames, an attacker can analyze the server’s response. A positive response (e.g., indicating that a password reset email has been sent or queued) confirms the existence of the username and…

Overview CVE-2025-66306 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the Grav CMS Admin Panel. This flaw, present in versions prior to 1.8.0-beta.27, allows low-privilege users to access sensitive information belonging to other accounts. While direct account takeover isn’t possible, the exposure of admin email addresses and other metadata significantly increases the risk of phishing, credential stuffing, and social engineering attacks. Technical Details The IDOR vulnerability stems from insufficient access control checks within the Grav CMS Admin Panel. A low-privileged user can manipulate request parameters (likely IDs) to access data associated with other user accounts. This allows the…

On December 1st, 2025, a critical security vulnerability was disclosed in Grav CMS, a popular file-based Web platform. Designated as CVE-2025-66305, this vulnerability allows an attacker to trigger a Denial of Service (DoS) condition by providing malformed input to the Grav admin configuration panel. Overview CVE-2025-66305 affects versions of Grav CMS prior to 1.8.0-beta.27. The vulnerability resides within the “Languages” submenu of the Grav admin configuration panel (/admin/config/system), specifically the “Supported” parameter. Improper validation of user input allows an attacker to inject a malicious value, leading to a fatal error and causing the entire Grav site to become unavailable. Technical…

Overview CVE-2025-66304 is a medium-severity security vulnerability affecting Grav, a file-based Web platform. Discovered in versions prior to 1.8.0-beta.27, the vulnerability allows users with read access to the user account management section of the admin panel to view the password hashes of all users, including the administrator. This flaw could lead to privilege escalation if an attacker successfully cracks these password hashes. Technical Details The vulnerability stems from insufficient access control within the Grav admin panel. Specifically, a user with read-only privileges in the user management section is unintentionally granted access to view sensitive data, including the stored password hashes.…

Overview CVE-2025-66303 is a medium severity Denial of Service (DoS) vulnerability affecting Grav, a file-based web platform. Specifically, versions prior to 1.8.0-beta.27 are susceptible to a flaw that allows an attacker to render the administrative panel unusable by injecting malicious input into the scheduled_at parameter. This vulnerability arises from insufficient input sanitization when handling cron expressions, leading to a corrupted configuration and a non-functional admin interface. Technical Details The vulnerability lies in Grav’s handling of user-supplied input for scheduled tasks. The scheduled_at parameter, intended to define when a task should run based on a cron expression, lacks proper validation. An…

Overview CVE-2025-66302 describes a medium severity path traversal vulnerability affecting Grav CMS, a file-based Web platform. This flaw allows authenticated attackers with administrative privileges to read arbitrary files on the server’s file system. The vulnerability resides within the backup tool due to insufficient input sanitization of user-supplied paths. Technical Details The vulnerability occurs because the backup tool in Grav CMS prior to version 1.8.0-beta.27 fails to properly sanitize user-provided paths. Specifically, the application does not adequately restrict access to files outside of the intended webroot directory. An attacker with administrative access can manipulate the path provided to the backup functionality…

Overview CVE-2025-66301 identifies a critical vulnerability in Grav, a file-based web platform. This flaw, present in versions prior to 1.8.0-beta.27, allows users with limited editing permissions to manipulate the YAML frontmatter, potentially leading to severe security consequences. Specifically, an editor who only has rights to edit basic content can modify the data[_json][header][form] section which dictates the form process after a user submits it. This can lead to further exploitation. Technical Details The vulnerability stems from insufficient authorization checks when handling POST requests to /admin/pages/{page_name}. An editor with permissions to modify basic content can alter critical fields within the data[_json][header][form] section…

Overview A critical security vulnerability, identified as CVE-2025-66300, has been discovered in Grav CMS, a file-based web platform. This vulnerability allows a low-privilege user account with page editing privileges to read arbitrary server files using the “Frontmatter” form. This includes sensitive files like Grav user account files (/grav/user/accounts/*.yaml), which store hashed user passwords, 2FA secrets, and password reset tokens. This poses a significant risk to Grav CMS installations. Technical Details The vulnerability stems from insufficient input validation when processing data submitted through the “Frontmatter” form within the Grav CMS administrative panel. A low-privilege user with page editing access can manipulate…