CVE-2025-65186: Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

December 2, 2025 (updated December 3, 2025)

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.

References

github.com/advisories/GHSA-cchq-397m-q2qm
github.com/getgrav/grav
github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf
nvd.nist.gov/vuln/detail/CVE-2025-65186

Code Behaviors & Features

Detect and mitigate CVE-2025-65186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →