Home > Vulnerability Database > CVE-2025-66304

Mend.io Vulnerability Database

CVE-2025-66304

Good to know:

Date: December 1, 2025

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.

Severity Score

6.2

Related Resources (5)

Url: https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7

Url: https://github.com/getgrav/grav

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66304

Url: https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85

Url: https://www.mend.io/vulnerability-database/CVE-2025-66304

Severity Score

6.2

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insertion of Sensitive Information Into Sent Data

CWE-201

Top Fix

Upgrade Version

Upgrade to version getgrav/grav - 1.8.0-beta.27;https://github.com/getgrav/grav.git - 1.8.0-beta.27

Learn More

CVSS v3.1

Base Score:	6.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66304

Good to know:

Date: December 1, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?