Privilege Escalation Vulnerability in Grav's Admin Plugin

CVE-2025-66296

What is CVE-2025-66296?

Grav, a file-based web platform, contains a vulnerability in its Admin plugin prior to version 1.8.0-beta.27. This flaw allows users with the permission to create new accounts to bypass username uniqueness validation, enabling them to register an account with an existing administrator's username. By setting a new password or email during account creation, the user can gain unauthorized access to the administrator's account, escalating their privileges from user-manager to full administrative control.

References