cbcvebase.
CVE-2025-66301
published 2025-12-01

CVE-2025-66301: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to…

PriorityP267critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EXPLOIT
EPSS
1.25%
65.7th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Affected

4 ranges
VendorProductVersion rangeFixed in
getgravgrav< 1.8.0-beta.271.8.0-beta.27
getgravgrav< 1.8.01.8.0
getgravgrav
getgravgrav>= 0 < 1.8.0-beta.271.8.0-beta.27

Detection & IOCsextracted from sources · hover to see the quote

url/admin/pages/{page_name}
pathdata[_json][header][form]
  • Monitor POST requests to /admin/pages/* endpoints for modification of the data[_json][header][form] parameter, especially by users with only basic editor privileges, as this indicates exploitation of the broken access control flaw.
  • Inspect the YAML frontmatter 'process' section of Grav pages for unexpected or unauthorized modifications, which may indicate an attacker chaining CVE-2025-66301 with CVE-2025-66294 for SSTI RCE.
  • Detect use of the Metasploit module grav_twig_ssti_sandbox_bypass_rce targeting Grav CMS, which chains CVE-2025-66301 (broken access control) with CVE-2025-66294 (Twig SSTI sandbox bypass) to achieve authenticated RCE.
  • Look for Twig template injection patterns within the evaluate_twig function context in Grav CMS, as the cleanDangerousTwig method's weak regex fails to sanitize nested Twig calls used in exploitation.
  • ·The vulnerability affects Grav versions prior to 1.8.0-beta.27 only; patched installations are not vulnerable.
  • ·Exploitation requires an authenticated user with at least page editing privileges; unauthenticated exploitation is not possible for this CVE alone.
  • ·Full RCE impact requires chaining with CVE-2025-66294 (Twig SSTI sandbox bypass); CVE-2025-66301 alone enables unauthorized form frontmatter modification.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.