CVE-2025-66299HIGH 8.8EPSS p39.8%

CVE-2025-66299CVE-2025-66299

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.52% probability of exploitation · percentile 39.8% · 2026-06-19T12:03:05Z
Published2025-12-01
Last modified2025-12-03

Underlying weaknesses· 2

CWE-94CWE-1336

References

  1. https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
  2. https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66294
CVE
CVE-2025-66297
CVE
CVE-2025-66844
CVE
CVE-2025-46199
CVE
CVE-2025-66301
CVE
CVE-2025-66300
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.