CVE-2025-66294

high-risk

Published 2025-12-01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

Do I need to act?

41.4% chance of exploitation in next 30 days

EPSS score — higher than 59% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (20)

Grav

Affected Vendors

Getgrav

References (2)

Patch https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458

Exploit https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 17/34 · Moderate

Exposure 22/34 · High