CVE-2025-66297

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Published: Dec 1, 2025
Updated: Dec 4, 2025
CVE: CVE-2025-66297
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-1336

Affected Software
References

Software	From	Fixed in
getgrav / grav	-	1.8.0
getgrav / grav	1.8.0-beta1	1.8.0-beta1.x
getgrav / grav	1.8.0-beta10	1.8.0-beta10.x
getgrav / grav	1.8.0-beta11	1.8.0-beta11.x
getgrav / grav	1.8.0-beta12	1.8.0-beta12.x
getgrav / grav	1.8.0-beta13	1.8.0-beta13.x
getgrav / grav	1.8.0-beta14	1.8.0-beta14.x
getgrav / grav	1.8.0-beta15	1.8.0-beta15.x
getgrav / grav	1.8.0-beta16	1.8.0-beta16.x
getgrav / grav	1.8.0-beta17	1.8.0-beta17.x
getgrav / grav	1.8.0-beta18	1.8.0-beta18.x
getgrav / grav	1.8.0-beta19	1.8.0-beta19.x
getgrav / grav	1.8.0-beta2	1.8.0-beta2.x
getgrav / grav	1.8.0-beta20	1.8.0-beta20.x
getgrav / grav	1.8.0-beta21	1.8.0-beta21.x
getgrav / grav	1.8.0-beta22	1.8.0-beta22.x
getgrav / grav	1.8.0-beta23	1.8.0-beta23.x
getgrav / grav	1.8.0-beta24	1.8.0-beta24.x
getgrav / grav	1.8.0-beta25	1.8.0-beta25.x
getgrav / grav	1.8.0-beta26	1.8.0-beta26.x
getgrav / grav	1.8.0-beta3	1.8.0-beta3.x
getgrav / grav	1.8.0-beta4	1.8.0-beta4.x
getgrav / grav	1.8.0-beta5	1.8.0-beta5.x
getgrav / grav	1.8.0-beta6	1.8.0-beta6.x
getgrav / grav	1.8.0-beta7	1.8.0-beta7.x
getgrav / grav	1.8.0-beta8	1.8.0-beta8.x
getgrav / grav	1.8.0-beta9	1.8.0-beta9.x

Vulnerability Database

314,902

CVE-2025-66297

Deep Security Visibility Without the Complexity