CVE-2025-66295

01.12.2025, 21:15

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Vendor	Product	Version
getgrav	grav	1.7.49.5 ≤ 𝑥 < 1.8.0
getgrav	grav	1.8.0:beta1
getgrav	grav	1.8.0:beta10
getgrav	grav	1.8.0:beta11
getgrav	grav	1.8.0:beta12
getgrav	grav	1.8.0:beta13
getgrav	grav	1.8.0:beta14
getgrav	grav	1.8.0:beta15
getgrav	grav	1.8.0:beta16
getgrav	grav	1.8.0:beta17
getgrav	grav	1.8.0:beta18
getgrav	grav	1.8.0:beta19
getgrav	grav	1.8.0:beta2
getgrav	grav	1.8.0:beta20
getgrav	grav	1.8.0:beta21
getgrav	grav	1.8.0:beta22
getgrav	grav	1.8.0:beta23
getgrav	grav	1.8.0:beta24
getgrav	grav	1.8.0:beta25
getgrav	grav	1.8.0:beta26
getgrav	grav	1.8.0:beta3
getgrav	grav	1.8.0:beta4
getgrav	grav	1.8.0:beta5
getgrav	grav	1.8.0:beta6
getgrav	grav	1.8.0:beta7
getgrav	grav	1.8.0:beta8
getgrav	grav	1.8.0:beta9

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741

https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv