216.73.217.139

CVE-2025-66297

· Published 01/12/2025 21:15 · Modified 03/12/2025 15:58

Labels: CVE-2025-66297 2025-12-01CVE-2025-66297CWE-1336[email protected]

Essential information

Published
01/12/2025 21:15
Modified
03/12/2025 15:58
Author
Creator
CVSS
7.4 HIGH (v3) 7.4 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
getgrav / grav cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*
getgrav / grav cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*

References