Insecure Direct Object Reference Vulnerability in Grav CMS Admin Panel
CVE-2025-66306

4.3MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 1 December 2025

What is CVE-2025-66306?

The Grav CMS Admin Panel has a security flaw that allows low-privilege users to access sensitive information associated with other accounts due to an Insecure Direct Object Reference (IDOR) issue. While direct account takeover is not feasible, this vulnerability could lead to the exposure of admin email addresses and other metadata. Such exposure heightens the risk of phishing attacks, credential stuffing, and various forms of social engineering. The issue has been addressed in version 1.8.0-beta.27, emphasizing the necessity for users to upgrade to protect sensitive information.

Affected Version(s)

grav < 1.8.0-beta.27

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/b7e1958a6e807ac149...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 26, 2025

JSON

Getgrav

What is CVE-2025-66306?

Affected Version(s)

References

CVSS V3.1

Timeline