cbcvebase.
CVE-2025-66294
published 2025-12-01

CVE-2025-66294: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.64%
83.7th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

Affected

4 ranges
VendorProductVersion rangeFixed in
getgravgrav< 1.8.0-beta.271.8.0-beta.27
getgravgrav
getgravgrav>= 0 < 1.8.0-beta.271.8.0-beta.27
getgravgrav>= 1.7.48 < 1.8.01.8.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb
pathmodules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb
  • Detect exploitation attempts targeting the `cleanDangerousTwig` method bypass via nested Twig template expressions (e.g., `{{` within `evaluate_twig` calls) in HTTP request bodies or page YAML frontmatter.
  • Monitor for unauthorized or anomalous modifications to form YAML frontmatter `process` sections in Grav CMS, which is the injection vector leveraged alongside CVE-2025-66301 (broken access control).
  • Flag unauthenticated HTTP requests that successfully reach Grav page-editing or form-processing endpoints and contain Twig template syntax, as the vulnerability may be exploitable without authentication under certain conditions.
  • ·The vulnerability is fixed in Grav 1.8.0-beta.27; ensure instances are patched to this version or later to remediate the weak regex in `cleanDangerousTwig`.
  • ·Exploitation chains CVE-2025-66294 (SSTI) with CVE-2025-66301 (broken access control); both vulnerabilities should be assessed and remediated together.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.