CVE-2025-66301
published 2025-12-01CVE-2025-66301: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to…
PriorityP267critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EXPLOIT
EPSS
1.25%
65.7th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.8.0-beta.27 | 1.8.0-beta.27 |
| getgrav | grav | < 1.8.0 | 1.8.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 1.8.0-beta.27 | 1.8.0-beta.27 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /admin/pages/* endpoints for modification of the data[_json][header][form] parameter, especially by users with only basic editor privileges, as this indicates exploitation of the broken access control flaw. ↗
- →Inspect the YAML frontmatter 'process' section of Grav pages for unexpected or unauthorized modifications, which may indicate an attacker chaining CVE-2025-66301 with CVE-2025-66294 for SSTI RCE. ↗
- →Detect use of the Metasploit module grav_twig_ssti_sandbox_bypass_rce targeting Grav CMS, which chains CVE-2025-66301 (broken access control) with CVE-2025-66294 (Twig SSTI sandbox bypass) to achieve authenticated RCE. ↗
- →Look for Twig template injection patterns within the evaluate_twig function context in Grav CMS, as the cleanDangerousTwig method's weak regex fails to sanitize nested Twig calls used in exploitation. ↗
- ·The vulnerability affects Grav versions prior to 1.8.0-beta.27 only; patched installations are not vulnerable. ↗
- ·Exploitation requires an authenticated user with at least page editing privileges; unauthenticated exploitation is not possible for this CVE alone. ↗
- ·Full RCE impact requires chaining with CVE-2025-66294 (Twig SSTI sandbox bypass); CVE-2025-66301 alone enables unauthorized form frontmatter modification. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
ghsa·2025-12-02
CVE-2025-66301 [HIGH] CWE-285 Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
### Summary
Due to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.
### Details
Due to improper authorization checks when modifying critical fields on a POST request to `/admin/pages/{page_name}`, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the `data[_json][header][form]` which is the YAML frontmatter which includes the `process` section which dictates what happens after a user submits the form which include some important
OSV
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
osv·2025-12-02
CVE-2025-66301 [HIGH] Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
### Summary
Due to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.
### Details
Due to improper authorization checks when modifying critical fields on a POST request to `/admin/pages/{page_name}`, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the `data[_json][header][form]` which is the YAML frontmatter which includes the `process` section which dictates what happens after a user submits the form which include some important
No detection rules found.
No writeups or analysis indexed.
2025-12-01
Published