CVE-2025-65186
published 2025-12-02CVE-2025-65186: Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
8.1th percentile
Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | — | — |
| getgrav | grav | 0 – 1.7.49 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
ghsa·2025-12-02
CVE-2025-65186 [MEDIUM] CWE-79 Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.
OSV
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
osv·2025-12-02
CVE-2025-65186 [MEDIUM] Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor
Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-02
Published