cbcvebase.
CVE-2025-66306
published 2025-12-01

CVE-2025-66306: Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which…

PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.26%
17.0th percentile
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.

Affected

4 ranges
VendorProductVersion rangeFixed in
getgravgrav< 1.8.0-beta.271.8.0-beta.27
getgravgrav
getgravgrav>= 0 < 1.8.0-beta.271.8.0-beta.27
getgravgrav>= 1.7.48 < 1.8.01.8.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.