Cyber Posture

CVE-2025-66297

HighPublic PoC

Published: 01 December 2025

Published
01 December 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 60.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user…

more

can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by mandating patching to version 1.8.0-beta.27 which fixes the Twig processing vulnerability.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation of information inputs like page frontmatter, preventing injection of malicious Twig expressions that enable privilege escalation and RCE.

AC-6 Least Privilege partial match
prevent

AC-6 least privilege limits admin panel and page edit permissions to only necessary users, reducing the attack surface for exploitation of this vulnerability.

Security SummaryAI

CVE-2025-66297 is a vulnerability in Grav, a file-based web platform, affecting versions prior to 1.8.0-beta.27. It stems from the ability of a user with admin panel access and permissions to create or edit pages to enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, this enables both privilege escalation and remote code execution via the scheduler API. The issue is classified under CWE-1336 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The attack requires low privileges—an authenticated user with admin panel access and page creation or editing rights—and can be carried out over the network with low complexity and no user interaction. Exploitation allows the attacker to escalate privileges to full administrator level or execute arbitrary system commands through the scheduler API, compromising confidentiality, integrity, and availability at a high level.

Grav addresses this vulnerability in version 1.8.0-beta.27. Mitigation details are available in the GitHub security advisory at GHSA-858q-77wx-hhx6 and the fixing commit e37259527d9c1deb6200f8967197a9fa587c6458. Security practitioners should upgrade to the patched version to remediate the issue.

Details

CWE(s)
CWE-1336

Affected Products

getgrav
grav
1.8.0 · ≤ 1.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
attack.mitre.org →
Why these techniques?

The vulnerability enables template injection (T1221) via malicious Twig expressions in page frontmatter, allowing exploitation for privilege escalation (T1068) by updating user access levels (T1098: Account Manipulation) and remote code execution (T1059) through the scheduler API for arbitrary system commands.

References