CVE-2025-66302

01.12.2025, 22:15

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
GitHub_M	CNA	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Vendor	Product	Version
getgrav	grav	𝑥 < 1.8.0
getgrav	grav	1.8.0:beta1
getgrav	grav	1.8.0:beta10
getgrav	grav	1.8.0:beta11
getgrav	grav	1.8.0:beta12
getgrav	grav	1.8.0:beta13
getgrav	grav	1.8.0:beta14
getgrav	grav	1.8.0:beta15
getgrav	grav	1.8.0:beta16
getgrav	grav	1.8.0:beta17
getgrav	grav	1.8.0:beta18
getgrav	grav	1.8.0:beta19
getgrav	grav	1.8.0:beta2
getgrav	grav	1.8.0:beta20
getgrav	grav	1.8.0:beta21
getgrav	grav	1.8.0:beta22
getgrav	grav	1.8.0:beta23
getgrav	grav	1.8.0:beta24
getgrav	grav	1.8.0:beta25
getgrav	grav	1.8.0:beta26
getgrav	grav	1.8.0:beta3
getgrav	grav	1.8.0:beta4
getgrav	grav	1.8.0:beta5
getgrav	grav	1.8.0:beta6
getgrav	grav	1.8.0:beta7
getgrav	grav	1.8.0:beta8
getgrav	grav	1.8.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee

https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94