Home

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

PUBLISHED Reserved 2025-11-26 | Published 2025-12-01 | Updated 2025-12-02 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

Product status

< 1.8.0-beta.27
affected

References

github.com/...v/grav/security/advisories/GHSA-662m-56v4-3r8f

github.com/...ommit/e37259527d9c1deb6200f8967197a9fa587c6458

cve.org (CVE-2025-66294)

nvd.nist.gov (CVE-2025-66294)

Download JSON