CVE-2025-66312 Overview
CVE-2025-66312 is a stored Cross-Site Scripting (XSS) vulnerability in the Grav admin plugin, an HTML user interface used to configure Grav and manage pages. The flaw exists in the /admin/accounts/groups/Grupo endpoint and allows authenticated attackers to inject malicious scripts through the data[readableName] parameter. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page. The issue is tracked under [CWE-79] and is resolved in version 1.11.0-beta.1.
Critical Impact
Authenticated attackers can persist JavaScript payloads that execute in administrator browsers, enabling session theft, account takeover, and pivoting within the Grav CMS administrative interface.
Affected Products
- Getgrav grav-plugin-admin versions prior to 1.11.0-beta.1
- Grav CMS installations exposing the admin plugin interface
- Deployments using the /admin/accounts/groups/Grupo endpoint for group management
Discovery Timeline
- 2025-12-01 - CVE-2025-66312 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-66312
Vulnerability Analysis
The vulnerability is a stored XSS in the Grav admin plugin's group management workflow. When a user creates or modifies a group through the /admin/accounts/groups/Grupo endpoint, the data[readableName] parameter is accepted without proper output encoding. The value is then rendered back into the admin UI when the group listing or detail page loads. Because the payload is stored on the server, every administrator who visits the affected view automatically executes the attacker-supplied JavaScript in the context of the Grav admin origin. Exploitation requires high privileges to submit the malicious value and user interaction to trigger script execution.
Root Cause
The root cause is missing HTML escaping on user-controlled input that is later embedded into admin pages. The patch in commit 99f653296504f1d6408510dd2f6f20a45a26f9b0 introduces safe render functions in themes/grav/app/forms/fields/selectize.js that pass values through an escape() helper before inserting them into the DOM. The fix also hardens related admin form rendering paths that previously concatenated raw input into HTML strings.
Attack Vector
An attacker with an authenticated admin-capable account submits a crafted group creation or edit request containing JavaScript in the data[readableName] field. The value is stored in Grav's configuration. When another administrator opens the groups view, the stored payload executes under the admin session, allowing the attacker to perform actions in the victim's context.
// Patch: Safe render helpers added in selectize.js
// Security: Default render functions that escape HTML to prevent XSS
// (GHSA-65mj-f7p4-wggq, GHSA-7g78-5g5g-mvfj, GHSA-mpjj-4688-3fxg)
const SafeRender = {
option: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
},
item: function(item, escape) {
return `<div>${escape(item.text || item.value)}</div>`;
}
};
export default class SelectizeField {
constructor(options = {}) {
this.options = Object.assign({}, options);
Source: GitHub Commit 99f6532
Detection Methods for CVE-2025-66312
Indicators of Compromise
- HTTP POST or PUT requests to /admin/accounts/groups/Grupo containing <script>, onerror=, onload=, or javascript: substrings within the data[readableName] parameter.
- Unexpected modifications to Grav group configuration files containing HTML or JavaScript fragments in the readableName field.
- Outbound requests from administrator browsers to unknown domains shortly after loading the Grav admin groups page.
Detection Strategies
- Inspect web server and application logs for requests to the group management endpoint containing encoded or raw script tags.
- Audit Grav user and group YAML files on disk for readableName values that include angle brackets or event handler attributes.
- Enable Content Security Policy (CSP) reporting on the admin interface and monitor report-uri violations for inline script execution.
Monitoring Recommendations
- Forward Grav admin access logs to a centralized log platform and alert on anomalous payload patterns targeting the groups endpoint.
- Track administrator session activity for unusual API calls that follow visits to the group management page.
- Monitor file integrity on Grav's user/accounts/groups/ directory for unexpected changes.
How to Mitigate CVE-2025-66312
Immediate Actions Required
- Upgrade the Grav admin plugin to version 1.11.0-beta.1 or later, which contains the fix in commit 99f6532.
- Review existing group definitions for any stored values in readableName containing HTML or JavaScript and sanitize them.
- Rotate admin credentials and invalidate active sessions if suspicious payloads are discovered in stored configuration.
Patch Information
The vulnerability is fixed in grav-plugin-admin version 1.11.0-beta.1. The remediation introduces HTML-escaping render helpers in the selectize form field component and tightens output encoding across admin form rendering paths. Full details are available in the GitHub Security Advisory GHSA-rmw5-f87r-w988 and the upstream commit 99f6532.
Workarounds
- Restrict access to the /admin interface using network controls or a reverse proxy until the patched version is deployed.
- Apply a strict Content Security Policy that disallows inline scripts on the Grav admin origin to limit payload execution.
- Limit administrative accounts to trusted personnel and enforce multi-factor authentication to reduce the risk of malicious group creation.
# Update the Grav admin plugin via the bin/gpm tool
cd /path/to/grav
bin/gpm update admin
bin/gpm version admin
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

