Home > Vulnerability Database > CVE-2025-66302

Mend.io Vulnerability Database

CVE-2025-66302

Good to know:

Date: December 1, 2025

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27.

Severity Score

6.8

Related Resources (5)

Url: https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee

Url: https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94

Url: https://github.com/getgrav/grav

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66302

Url: https://www.mend.io/vulnerability-database/CVE-2025-66302

Severity Score

6.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version getgrav/grav - 1.8.0-beta.27;https://github.com/getgrav/grav.git - 1.8.0-beta.27

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66302

Good to know:

Date: December 1, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?