Authorization Flaw in Grav Web Platform Affects User Permissions
CVE-2025-66301
8.6HIGH
What is CVE-2025-66301?
Grav, a file-based web platform, has a vulnerability that arises from improper authorization checks. Prior to version 1.8.0-beta.27, editors lacking full permissions were able to modify crucial fields in a POST request to /admin/pages/{page_name}. This allowed them to change form functionality by altering the YAML frontmatter content, specifically within the data[_json][header][form] section. Such modifications could potentially lead to significant security risks, enabling unauthorized access or actions. The issue has been resolved in version 1.8.0-beta.27.
Affected Version(s)
grav < 1.8.0-beta.27
