CVE-2025-66303
published 2025-12-01CVE-2025-66303: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of…
PriorityP425medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.34%
25.7th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.8.0-beta.27 | 1.8.0-beta.27 |
| getgrav | grav | < 1.8.0 | 1.8.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 1.8.0-beta.27 | 1.8.0-beta.27 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grav is vulnerable to a DOS on the admin panel
osv·2025-12-02
CVE-2025-66303 [MEDIUM] Grav is vulnerable to a DOS on the admin panel
Grav is vulnerable to a DOS on the admin panel
# DOS on the admin panel
**Severity Rating:** Medium
**Vector:** Denial Of Service
**CVE:** XXX
**CWE:** 400 - Uncontrolled Resource Consumption
**CVSS Score:** 4.9
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
## Analysis
A Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.
The only way to recover from this issue is to manually access the host server an
GHSA
Grav is vulnerable to a DOS on the admin panel
ghsa·2025-12-02
CVE-2025-66303 [MEDIUM] CWE-400 Grav is vulnerable to a DOS on the admin panel
Grav is vulnerable to a DOS on the admin panel
# DOS on the admin panel
**Severity Rating:** Medium
**Vector:** Denial Of Service
**CVE:** XXX
**CWE:** 400 - Uncontrolled Resource Consumption
**CVSS Score:** 4.9
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
## Analysis
A Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.
The only way to recover from this issue is to manually access the host server an
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-01
Published