CVE-2025-66311
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
Description
## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][metadata]`, `data[header][taxonomy][category]`, and `data[header][taxonomy][tag]` parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. --- ## Details **Vulnerable Endpoint:** `POST /admin/pages/[page]` **Parameters:** - `data[header][metadata]` - `data[header][taxonomy][category]` - `data[header][taxonomy][tag]` The application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access. --- ## PoC **Payload:** `<script>alert('PoC-XXS51')</script>` ### Steps to Reproduce: 1. Log into the _Grav_ Admin Panel and navigate to **Pages**. 2. Create or edit a page. 3. Inject the payload above into any of the following fields in the Options tab: - **Metadata** key name - **Category** under Taxonomy - **Tag** under Taxonomy   4. Save the page.  When the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the **Stored XSS** vulnerability. --- ## Impact Stored XSS vulnerabilities can result in serious consequences, including: - **Session hijacking:** Attackers can steal authentication cookies or tokens - **Malware delivery:** Injected scripts can download malicious software - **Credential theft:** Fake input fields can capture usernames and passwords - **Sensitive data exposure:** Access to internal metadata and browser data - **Administrative access compromise:** Especially dangerous in admin-facing interfaces - **Phishing attacks:** Users can be redirected to external malicious sites - **Reputation damage:** Executing arbitrary scripts in trusted systems undermines credibility by [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)