CVE-2025-66298
published 2025-12-01CVE-2025-66298: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.33%
24.8th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.8.0-beta.27 | 1.8.0-beta.27 |
| getgrav | grav | < 1.8.0 | 1.8.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 1.8.0-beta.27 | 1.8.0-beta.27 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
ghsa·2025-12-02
CVE-2025-66298 [HIGH] CWE-1336 Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
### Summary
Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.
### PoC
Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).
registration-number:d643aaaa
hp:vJyifp
__form-name__:hero-form
__unique_form_id__:{{var_dump(_context|slice(0,7))}}
### Imp
OSV
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
osv·2025-12-02
CVE-2025-66298 [HIGH] Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
### Summary
Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.
### PoC
Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).
registration-number:d643aaaa
hp:vJyifp
__form-name__:hero-form
__unique_form_id__:{{var_dump(_context|slice(0,7))}}
### Imp
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-01
Published