CVE-2025-66297

HIGH

Grav <1.8.0-beta.27 - RCE/Privilege Escalation

Title source: llm

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

References (2)

[Exploit, Third Party Advisory] https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6

[Patch] https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0052

EPSS Percentile 66.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-1336

Status published

Products (3)

getgrav/grav 1.8.0 beta1 (26 CPE variants)

getgrav/grav < 1.8.0

getgrav/grav 0 - 1.8.0-beta.27Packagist

Published Dec 01, 2025

Tracked Since Feb 18, 2026