Vulnerability Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getgrav | Grav | < 1.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458Patch
- https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6ExploitThird Party Advisory
FAQ
What is CVE-2025-66297?
CVE-2025-66297 is a vulnerability with a CVSS score of 8.8 (HIGH). Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By inj...
How severe is CVE-2025-66297?
CVE-2025-66297 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66297?
Check the references section above for vendor advisories and patch information. Affected products include: Getgrav Grav.