CVE-2025-66294HIGH 8.8EPSS p83.3%

CVE-2025-66294CVE-2025-66294

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS2.59% probability of exploitation · percentile 83.3% · 2026-06-19T12:03:05Z
Published2025-12-01
Last modified2025-12-04

Underlying weaknesses· 2

CWE-94CWE-1336

References

  1. https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
  2. https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66299
CVE
CVE-2025-66297
CVE
CVE-2025-66844
CVE
CVE-2025-46199
CVE
CVE-2025-66296
CVE
CVE-2025-66301
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.