CVE-2025-66844
published 2025-12-15CVE-2025-66844: In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration…
PriorityP347critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.25%
15.9th percentile
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.7.49.5 | 1.7.49.5 |
| getgrav | grav | 0 – 1.7.49.5 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav may be vulnerable to SSRF attack via Twig Templates
ghsa·2025-12-15
CVE-2025-66844 [CRITICAL] CWE-918 Grav may be vulnerable to SSRF attack via Twig Templates
Grav may be vulnerable to SSRF attack via Twig Templates
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered.
OSV
Grav may be vulnerable to SSRF attack via Twig Templates
osv·2025-12-15
CVE-2025-66844 [CRITICAL] Grav may be vulnerable to SSRF attack via Twig Templates
Grav may be vulnerable to SSRF attack via Twig Templates
In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered.
No detection rules found.
No public exploits indexed.
2025-12-15
Published