CVE-2025-66294

HighPublic PoC

Published: 01 December 2025

Published

01 December 2025

Modified

04 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3765 97.2th percentile

Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited…

by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the SSTI vulnerability by requiring effective input validation to reject or sanitize malicious template inputs bypassing the weak regex in cleanDangerousTwig.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching to Grav 1.8.0-beta.27, to correct the specific weak regex validation enabling arbitrary command execution.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning that would identify the SSTI flaw (CVE-2025-66294) in vulnerable Grav versions, enabling proactive detection and patching.

Security SummaryAI

CVE-2025-66294 is a Server-Side Template Injection (SSTI) vulnerability affecting Grav, a file-based web platform, in versions prior to 1.8.0-beta.27. The flaw arises from weak regex validation in the cleanDangerousTwig method, enabling template injection that can lead to arbitrary command execution on the server. It is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code ('Code Injection')) and CWE-1336 (Incorrect Handling of Deprecated Mobile Page).

Authenticated attackers with editor permissions can exploit this vulnerability remotely over the network with low complexity to execute arbitrary commands on the affected server. Under certain conditions, the issue may also be exploitable by unauthenticated attackers, potentially granting them the same high-impact privileges including high confidentiality, integrity, and availability effects.

The vulnerability is fixed in Grav version 1.8.0-beta.27. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f and the fixing commit at https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458.

Details

CWE(s): CWE-94 CWE-1336

Affected Products

getgrav

grav

1.8.0 · 1.7.48 — 1.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE describes Server-Side Template Injection (SSTI) in a public-facing web platform (Grav), directly enabling T1221 (Template Injection) for code execution and fitting T1190 (Exploit Public-Facing Application) for remote exploitation leading to arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
Patch · security-advisories@github.com
https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f
Exploit, Vendor Advisory · security-advisories@github.com