CVE-2025-66301

high-risk
Published 2025-12-01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Do I need to act?

!
28.7% chance of exploitation in next 30 days
EPSS score — higher than 71% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Getgrav

References (2)

Exploit https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
Exploit https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
69
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 15/34 · Moderate
Exposure 22/34 · High