Vulnerability Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getgrav | Grav | >= 1.7.48, < 1.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62Patch
- https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwgExploitVendor Advisory
- https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwgExploitVendor Advisory
FAQ
What is CVE-2025-66306?
CVE-2025-66306 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sens...
How severe is CVE-2025-66306?
CVE-2025-66306 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66306?
Check the references section above for vendor advisories and patch information. Affected products include: Getgrav Grav.