CVE-2025-66294: RCE in Grav CMS
Platform
php
Component
getgrav/grav
Fixed in
1.8.1
1.8.0-beta.27
A Server-Side Template Injection (SSTI) vulnerability has been identified in Grav CMS, potentially allowing for Remote Code Execution (RCE). This flaw arises from insufficient sanitization within the cleanDangerousTwig method, impacting versions up to 1.8.0-beta.9. Successful exploitation could enable attackers to execute arbitrary commands on the server, with certain conditions allowing unauthenticated access.
Impact and Attack Scenarios
The impact of this RCE vulnerability is significant. An attacker exploiting CVE-2025-66294 could gain complete control over the affected Grav CMS instance. This includes the ability to read, modify, and delete sensitive data stored on the server, install malicious software, and potentially pivot to other systems within the network. The weakness in the cleanDangerousTwig method means any class indirectly calling this method for sanitization is also at risk, expanding the potential attack surface. The possibility of unauthenticated exploitation further amplifies the risk, as it bypasses typical authentication controls.
Exploitation Context
CVE-2025-66294 was publicly disclosed on December 2, 2025. The vulnerability's nature (SSTI) makes it a high-priority target, and public proof-of-concept exploits are likely to emerge. While no active exploitation campaigns have been confirmed as of this writing, the ease of exploitation associated with SSTI vulnerabilities suggests a high probability of exploitation in the near future. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
38.34% (97% percentile)
CISA SSVC
Affected Software
Package Information
- Last updated
- 1.7.52recently
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-66294 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing stricter access controls to limit editor permissions and carefully review any user input that is processed by the cleanDangerousTwig method. Web Application Firewalls (WAFs) configured to detect and block SSTI payloads can provide an additional layer of defense. Monitor Grav CMS logs for suspicious activity, particularly attempts to inject or execute arbitrary code. After upgrading, confirm the vulnerability is resolved by attempting a known exploitation technique and verifying it fails.
How to fix
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). La actualización se puede realizar a través del panel de administración de Grav o manualmente descargando la última versión y reemplazando los archivos existentes.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-66294 — RCE in Grav CMS?
CVE-2025-66294 is a Remote Code Execution vulnerability in Grav CMS versions up to 1.8.0-beta.9, allowing attackers to potentially execute arbitrary commands on the server.
Am I affected by CVE-2025-66294 in Grav CMS?
You are affected if you are running Grav CMS version 1.8.0-beta.9 or earlier. Verify your version and upgrade immediately if vulnerable.
How do I fix CVE-2025-66294 in Grav CMS?
Upgrade Grav CMS to version 1.8.0-beta.27 or later to remediate the vulnerability. Implement stricter access controls as an interim measure.
Is CVE-2025-66294 being actively exploited?
While no active exploitation campaigns have been confirmed, the vulnerability's nature suggests a high probability of exploitation in the near future.
Where can I find the official Grav CMS advisory for CVE-2025-66294?
Refer to the official Grav CMS security advisories on their website or GitHub repository for the latest information and updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.