CVE-2025-66306

MEDIUM

Grav <1.8.0-beta.27 - Info Disclosure

Title source: llm

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.

References (2)

[Exploit, Vendor Advisory] https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg

[Patch] https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 16.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

getgrav/grav 1.8.0 beta1 (26 CPE variants)

getgrav/grav 0 - 1.8.0-beta.27Packagist

getgrav/grav 1.7.48 - 1.8.0

Published Dec 01, 2025

Tracked Since Feb 18, 2026