Server-Side Template Injection Vulnerability in Grav Web Platform
CVE-2025-66294
8.7HIGH
What is CVE-2025-66294?
Grav, a file-based web platform, contains a Server-Side Template Injection (SSTI) vulnerability that affects versions prior to 1.8.0-beta.27. This issue enables authenticated users with editor permissions to execute arbitrary commands on the server. Moreover, in specific scenarios, this vulnerability can also be exploited by unauthenticated attackers. The origin of this vulnerability lies in insufficient regular expression validation within the cleanDangerousTwig method. Users are encouraged to upgrade to version 1.8.0-beta.27 or later to mitigate this risk.
Affected Version(s)
grav < 1.8.0-beta.27
