Home > Vulnerability Database > CVE-2025-66297

Mend.io Vulnerability Database

CVE-2025-66297

Good to know:

Date: December 1, 2025

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Severity Score

6.3

Related Resources (5)

Url: https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458

Url: https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6

Url: https://github.com/getgrav/grav

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66297

Url: https://www.mend.io/vulnerability-database/CVE-2025-66297

Severity Score

6.3

Weakness Type (CWE)

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Top Fix

Upgrade Version

Upgrade to version getgrav/grav - 1.8.0-beta.27;https://github.com/getgrav/grav.git - 1.8.0-beta.27

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66297

Good to know:

Date: December 1, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?