CVE-2025-66297HIGH 8.8EPSS p46.7%

CVE-2025-66297CVE-2025-66297

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.66% probability of exploitation · percentile 46.7% · 2026-06-18T12:00:27Z
Published2025-12-01
Last modified2025-12-03

Underlying weaknesses· 1

CWE-1336

References

  1. https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
  2. https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66294
CVE
CVE-2025-66299
CVE
CVE-2025-50286
CVE
CVE-2025-66296
CVE
CVE-2025-66301
CVE
CVE-2026-42607
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.