CVE-2025-66297
published 2025-12-01CVE-2025-66297: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.69%
47.9th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.8.0-beta.27 | 1.8.0-beta.27 |
| getgrav | grav | < 1.8.0 | 1.8.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 1.8.0-beta.27 | 1.8.0-beta.27 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
ghsa·2025-12-02
CVE-2025-66297 [HIGH] CWE-1336 Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
### Summary
A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.
### Details
Grav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true).
A user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.
This
OSV
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
osv·2025-12-02
CVE-2025-66297 [HIGH] Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
### Summary
A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.
### Details
Grav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true).
A user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.
This
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-01
Published