Denial of Service Vulnerability in Grav Web Platform
CVE-2025-66303

4.9MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66303?

A Denial of Service vulnerability exists in the Grav web platform due to improper sanitization of the 'scheduled_at' parameters used within cron expressions. This flaw allows attackers to disrupt administrative functionalities by introducing malicious input, such as a single quote. As a consequence, the admin panel may become non-functional, impacting operations significantly. Recovery requires manual intervention on the server to amend the 'backup.yaml' file, rectifying the corrupted cron expression. The issue has been addressed in version 1.8.0-beta.27.

Affected Version(s)

grav < 1.8.0-beta.27

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/9d11094e4133f05968...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66303?

Affected Version(s)

References

CVSS V3.1

Timeline