CVE-2025-66304

MEDIUM

Grav <1.8.0-beta.27 - Info Disclosure

Title source: llm

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.

References (2)

[Exploit, Vendor Advisory] https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85

[Patch] https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7

View Patch ZIP pw:eip

Scores

CVSS v3 6.2

EPSS 0.0010

EPSS Percentile 27.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-201 CWE-200

Status published

Products (3)

getgrav/grav 1.8.0 beta1 (26 CPE variants)

getgrav/grav 0 - 1.8.0-beta.27Packagist

getgrav/grav 1.7.46 - 1.8.0

Published Dec 01, 2025

Tracked Since Feb 18, 2026