Privilege Escalation and Remote Code Execution in Grav CMS by Grav
CVE-2025-66297

7.4HIGH

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66297?

Grav is a file-based web platform that allows users with admin panel access to create or edit pages. Prior to version 1.8.0-beta.27, a vulnerability exists where an administrator could enable Twig processing in page frontmatter. This would allow an attacker to inject malicious Twig expressions, leading to privilege escalation to admin rights and potential execution of arbitrary system commands via the scheduler API. This poses significant security risks as it enables unauthorized access and manipulation of the Grav CMS environment. The issue is addressed in the subsequent update, ensuring better protection against such exploitation.

Affected Version(s)

grav < 1.8.0-beta.27

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/e37259527d9c1deb62...

x_refsource_MISC

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66297?

Affected Version(s)

References

CVSS V4

Timeline