CVE-2025-66294

HIGH

Grav < 1.8.0-beta.27 - Server-Side Template Injection via Weak Twig Validation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66294. PoCs published by Tarek Nakkouch, including Metasploit module exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2025-66301 (broken access control) and CVE-2025-66294 (Twig SSTI sandbox bypass) in Grav CMS to achieve authenticated remote code execution via crafted YAML frontmatter in form pages.

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Tarek Nakkouch · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/grav_twig_ssti_sandbox_bypass_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-66301 (broken access control) and CVE-2025-66294 (Twig SSTI sandbox bypass) in Grav CMS to achieve authenticated remote code execution via crafted YAML frontmatter in form pages.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS < 1.8.0.beta.27

Auth required

Prerequisites: Valid Grav CMS credentials with page editing privileges · Access to admin interface

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f

Patch x_refsource_misc

https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458

Scores

CVSS v3 8.8

EPSS 0.3765

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-1336 CWE-94

Status published

Products (3)

getgrav/grav 1.8.0 beta1 (26 CPE variants)

getgrav/grav 0 - 1.8.0-beta.27Packagist

getgrav/grav 1.7.48 - 1.8.0

Published Dec 01, 2025

Tracked Since Feb 18, 2026