cbcvebase.
CVE-2025-66302
published 2025-12-01

CVE-2025-66302: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers…

PriorityP341medium6.8CVSS 3.1
AVNACLPRHUINSCCHINAN
EPSS
0.42%
33.6th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27.

Affected

4 ranges
VendorProductVersion rangeFixed in
getgravgrav< 1.8.0-beta.271.8.0-beta.27
getgravgrav< 1.8.01.8.0
getgravgrav
getgravgrav>= 0 < 1.8.0-beta.271.8.0-beta.27
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.

CVE-2025-66302 — Path Traversal in Getgrav Grav | cvebase