File-Based Web Platform Vulnerability in Grav Affects User Accounts
CVE-2025-66300

8.5HIGH

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66300?

Grav is a file-based web platform that enables users to create and manage their websites efficiently. However, prior to version 1.8.0-beta.27, a vulnerability existed that allowed low privilege users with page editing rights to access sensitive server files. This included the ability to read Grav user account files, which contain critical information such as hashed passwords, 2FA secrets, and password reset tokens. An attacker could exploit this vulnerability to compromise any registered user's account by either obtaining the hashed password or the password reset token, leading to unauthorized access.

Affected Version(s)

grav < 1.8.0-beta.27

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/ed640a13143c4177af...

x_refsource_MISC

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66300?

Affected Version(s)

References

CVSS V3.1

Timeline