Platform
php
Component
getgrav/grav
Fixed in
1.8.1
1.8.0-beta.27
CVE-2025-66299 describes a Server-Side Template Injection (SSTI) vulnerability affecting Grav CMS. This vulnerability allows authenticated users with editor permissions to execute arbitrary code, effectively bypassing the CMS's security sandbox. The issue impacts versions of Grav CMS up to and including 1.8.0-beta.9, and a fix is available in version 1.8.0-beta.27.
The impact of this SSTI vulnerability is significant. An attacker exploiting this flaw can gain remote code execution (RCE) on the server hosting the Grav CMS instance. This allows them to compromise the entire system, potentially leading to data breaches, website defacement, or complete server takeover. The ability to bypass the security sandbox amplifies the risk, as attackers can execute commands that would normally be restricted. Given the potential for complete system compromise, the blast radius is substantial, impacting all data and services hosted on the affected server.
This vulnerability was publicly disclosed on December 2, 2025. While no public exploits have been widely reported, the ease of exploitation inherent in SSTI vulnerabilities suggests a potential for rapid exploitation. The CVSS score of 8.8 (HIGH) indicates a significant risk. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting Grav CMS instances.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66299 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct WAF rule to prevent SSTI is complex, restricting user input within templates and carefully reviewing editor permissions can reduce the attack surface. Regularly scan templates for potentially dangerous code snippets. After upgrading, verify the fix by attempting to inject a simple template payload (e.g., {{ config.system.uri_scheme }}) and confirming that it does not execute arbitrary code.
Actualice Grav CMS a la versión 1.8.0-beta.27 o superior. Esta versión contiene la corrección para la vulnerabilidad de Server-Side Template Injection (SSTI). La actualización evitará la ejecución de código arbitrario en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66299 is a Server-Side Template Injection vulnerability in Grav CMS versions up to 1.8.0-beta.9, allowing authenticated users with editor permissions to execute arbitrary code.
Yes, if you are running Grav CMS versions 1.8.0-beta.9 or earlier, you are vulnerable to this SSTI vulnerability.
Upgrade Grav CMS to version 1.8.0-beta.27 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation. Monitor security advisories.
Refer to the official Grav CMS security advisories and release notes on the Grav CMS website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.