N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66309

GHSA ID

GHSA-65mj-f7p4-wggq

EPSS Score

CWE

CWE-79

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66309

CVE-2025-66309: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter.

Details

Vulnerable Endpoint: GET /admin/pages/[page]
Parameter: data[header][content][items]

The application fails to properly validate and sanitize user input in the data[header][content][items] parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.

PoC

Payload:

"><ImG sRc=x OnErRoR=alert('XSS-PoC3')>

Log in to the Grav Admin Panel and navigate to Pages.
Create a new page or edit an existing one.
In the Advanced > Blog Config > Items field (which maps to data[header][content][items]), insert the payload above.

Save the page.
The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.

Impact

Reflected cross-site scripting (XSS) attacks can have serious consequences, including:

User actions: Attackers can perform actions on behalf of the user
Data theft: Sensitive information such as session cookies can be stolen
Account compromise: Attackers may impersonate legitimate users
Malicious code execution: Arbitrary JavaScript code can run in the user’s browser
Website defacement or misinformation: Malicious output may be injected visually
User redirection: Victims may be redirected to phishing or malicious websites

by CVE-Hunters

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66309

CVE-2025-66309:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66309

GHSA ID

GHSA-65mj-f7p4-wggq

EPSS Score

CWE

CWE-79

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue within the Grav admin panel, specifically affecting fields that use the selectize.js component for input. The root cause is the failure to properly sanitize user-provided data before it is rendered in the browser. The analysis of the patch 99f653296504f1d6408510dd2f6f20a45a26f9b0 reveals that the vulnerability is addressed by modifying the SelectizeField.init method in themes/grav/app/forms/fields/selectize.js. This function is responsible for initializing the selectize dropdowns. The patch introduces a SafeRender object with functions that explicitly escape HTML content for the items and options displayed in the dropdown. This SafeRender is now applied by default if no other custom renderer is specified. This indicates that, prior to the patch, the component would render raw HTML provided in parameters like data[header][content][items], allowing an attacker to inject and execute malicious scripts. Therefore, the SelectizeField.init function is the key location where the insecure component was configured, making it the primary indicator of this vulnerability in a runtime context.

Vulnerable functions

SelectizeField.init

themes/grav/app/forms/fields/selectize.js

The `SelectizeField.init` function is responsible for initializing the `selectize.js` component, which is used for various fields in the Grav admin panel, including the 'Items' field under 'Blog Config'. Before the patch, this function did not provide a default HTML-escaping renderer for the items displayed in the selectize dropdown. When a user saved a page with a malicious payload in the `data[header][content][items]` parameter, this payload was stored. Upon page load, the `SelectizeField.init` function would initialize the component with this malicious data, which was then rendered without sanitization, leading to a reflected Cross-Site Scripting (XSS) vulnerability. The patch introduces a `SafeRender` object and applies it by default, ensuring that all content is escaped before being rendered.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66309: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary

Details

PoC

Impact

CVE-2025-66309:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

CVE-2025-66309: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary

Details

PoC

Impact

N/A

N/A

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66309: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary

Details

PoC

Impact

CVE-2025-66309:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-66309: Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary

Details

PoC

Impact

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI