Password Hash Exposure in Grav Web Platform
CVE-2025-66304

6.2MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66304?

Before version 1.8.0-beta.27, Grav's file-based Web platform allowed users with read access in the user account management section of the admin panel to view password hashes of all users, including administrators. This exposure of user password hashes could be exploited to achieve privilege escalation if an attacker successfully cracks these hashes, thus compromising the integrity and security of the entire system. The vulnerability has been addressed in the latest updates to ensure enhanced security for user data.

Affected Version(s)

grav < 1.8.0-beta.27

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/9d11094e4133f05968...

x_refsource_MISC

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66304?

Affected Version(s)

References

CVSS V3.1

Timeline