Security
Headlines

Headlines Latest CVEs

Headline

GHSA-mh85-44c2-3m97: Grav is vulnerable to Stored XSS through authenticated user-edited content

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.

5 days ago

#xss #vulnerability #git #java #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2025-66843

Grav is vulnerable to Stored XSS through authenticated user-edited content

Moderate severity GitHub Reviewed Published Dec 15, 2025 to the GitHub Advisory Database • Updated Dec 17, 2025

Package

Affected versions

<= 1.7.49.5

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-66843
Yohane-Mashiro/grav_cve#1

Published to the GitHub Advisory Database

Dec 15, 2025

Last updated

Dec 17, 2025

ghsa: Latest News

GHSA-83jg-m2pm-4jxj: Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification

6 hours ago

GHSA-f43r-cc68-gpx4: External Control of File Name or Path in Langflow

1 day ago

GHSA-5993-7p27-66g5: Langflow vulnerable to Server-Side Request Forgery

1 day ago

GHSA-24v3-254g-jv85: Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature

1 day ago

GHSA-4hx9-48xh-5mxr: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

1 day ago