CVE-2025-66300
published 2025-12-01CVE-2025-66300: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using…
PriorityP359high8.5CVSS 3.1
AVNACLPRLUINSCCHINAL
EPSS
0.40%
31.5th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.8.0-beta.27 | 1.8.0-beta.27 |
| getgrav | grav | < 1.8.0 | 1.8.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 1.8.0-beta.27 | 1.8.0-beta.27 |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
ghsa5.4MEDIUM
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grav is vulnerable to Arbitrary File Read
osv·2025-12-02·CVSS 5.4
CVE-2025-66300 [MEDIUM] Grav is vulnerable to Arbitrary File Read
Grav is vulnerable to Arbitrary File Read
### Summary
- A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.
### Details
_The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig_
### PoC
1. This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46
2. go to “http://grav.local/admin/pages” then create new page with “Page
GHSA
Grav is vulnerable to Arbitrary File Read
ghsa·2025-12-02·CVSS 5.4
CVE-2025-66300 [MEDIUM] CWE-22 Grav is vulnerable to Arbitrary File Read
Grav is vulnerable to Arbitrary File Read
### Summary
- A low privilege user account with page editing privilege can read any server files using "Frontmatter" form.
- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.
- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.
### Details
_The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig_
### PoC
1. This PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46
2. go to “http://grav.local/admin/pages” then create new page with “Page
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-01
Published