Platform
php
Component
getgrav/grav
Fixed in
1.8.1
1.8.0-beta.27
CVE-2025-66300 describes an Arbitrary File Access vulnerability discovered in Grav CMS. This flaw allows authenticated, low-privilege users with page editing privileges to read arbitrary files on the server through the "Frontmatter" form. Critically, this includes access to Grav user account files, potentially exposing hashed passwords, 2FA secrets, and password reset tokens, impacting versions 1.8.0-beta.9 and earlier. A fix is available in version 1.8.0-beta.27.
The primary impact of CVE-2025-66300 is the potential for account compromise. An attacker exploiting this vulnerability can gain access to user account files, which contain sensitive information like hashed passwords, two-factor authentication (2FA) secrets, and password reset tokens. With access to these credentials, an attacker could reset passwords, bypass 2FA, and ultimately gain full control over user accounts within the Grav CMS installation. This could lead to data breaches, unauthorized modifications to the website, and potential defacement. The blast radius extends to all user accounts within the affected Grav CMS instance, making it a significant security risk.
CVE-2025-66300 was publicly disclosed on December 2, 2025. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 8.5 (HIGH) indicates a significant risk, warranting prompt remediation.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66300 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting access to the "Frontmatter" form or implementing stricter file access controls on the server could reduce the attack surface. Web Application Firewalls (WAFs) configured to block requests targeting sensitive files or unusual file access patterns may also provide some protection. After upgrading, verify the fix by attempting to access user account files through the "Frontmatter" form; access should be denied.
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos. La actualización se puede realizar a través del panel de administración de Grav o manualmente descargando la última versión y reemplazando los archivos existentes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66300 is a HIGH severity vulnerability allowing low-privilege users to read sensitive files in Grav CMS versions ≤1.8.0-beta.9, potentially exposing user account data.
Yes, if you are running Grav CMS version 1.8.0-beta.9 or earlier, you are vulnerable to this Arbitrary File Access flaw.
Upgrade Grav CMS to version 1.8.0-beta.27 or later to remediate the vulnerability. Consider temporary workarounds like restricting access to the 'Frontmatter' form if immediate upgrade is not possible.
As of December 2, 2025, there is no confirmed evidence of active exploitation campaigns targeting CVE-2025-66300.
Refer to the official Grav CMS security advisory for detailed information and updates regarding CVE-2025-66300.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.