CVE-2025-66301 | THREATINT

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

PUBLISHED Reserved 2025-11-26 | Published 2025-12-01 | Updated 2025-12-02 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-285: Improper Authorization

Product status

< 1.8.0-beta.27

affected

References

github.com/...v/grav/security/advisories/GHSA-v8x2-fjv7-8hjh exploit

github.com/...v/grav/security/advisories/GHSA-v8x2-fjv7-8hjh

cve.org (CVE-2025-66301)

nvd.nist.gov (CVE-2025-66301)

Download JSON