CVE-2025-66301

01.12.2025, 22:15

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.6 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
getgrav	grav	𝑥 < 1.8.0
getgrav	grav	1.8.0:beta1
getgrav	grav	1.8.0:beta10
getgrav	grav	1.8.0:beta11
getgrav	grav	1.8.0:beta12
getgrav	grav	1.8.0:beta13
getgrav	grav	1.8.0:beta14
getgrav	grav	1.8.0:beta15
getgrav	grav	1.8.0:beta16
getgrav	grav	1.8.0:beta17
getgrav	grav	1.8.0:beta18
getgrav	grav	1.8.0:beta19
getgrav	grav	1.8.0:beta2
getgrav	grav	1.8.0:beta20
getgrav	grav	1.8.0:beta21
getgrav	grav	1.8.0:beta22
getgrav	grav	1.8.0:beta23
getgrav	grav	1.8.0:beta24
getgrav	grav	1.8.0:beta25
getgrav	grav	1.8.0:beta26
getgrav	grav	1.8.0:beta3
getgrav	grav	1.8.0:beta4
getgrav	grav	1.8.0:beta5
getgrav	grav	1.8.0:beta6
getgrav	grav	1.8.0:beta7
getgrav	grav	1.8.0:beta8
getgrav	grav	1.8.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh