Platform
php
Component
getgrav/grav
Opgelost in
1.8.1
1.8.0-beta.27
A Server-Side Template Injection (SSTI) vulnerability has been identified in Grav CMS, potentially allowing for Remote Code Execution (RCE). This flaw arises from insufficient sanitization within the cleanDangerousTwig method, impacting versions up to 1.8.0-beta.9. Successful exploitation could enable attackers to execute arbitrary commands on the server, with certain conditions allowing unauthenticated access.
The impact of this RCE vulnerability is significant. An attacker exploiting CVE-2025-66294 could gain complete control over the affected Grav CMS instance. This includes the ability to read, modify, and delete sensitive data stored on the server, install malicious software, and potentially pivot to other systems within the network. The weakness in the cleanDangerousTwig method means any class indirectly calling this method for sanitization is also at risk, expanding the potential attack surface. The possibility of unauthenticated exploitation further amplifies the risk, as it bypasses typical authentication controls.
CVE-2025-66294 was publicly disclosed on December 2, 2025. The vulnerability's nature (SSTI) makes it a high-priority target, and public proof-of-concept exploits are likely to emerge. While no active exploitation campaigns have been confirmed as of this writing, the ease of exploitation associated with SSTI vulnerabilities suggests a high probability of exploitation in the near future. Monitor security advisories and threat intelligence feeds for updates.
Organizations and individuals using Grav CMS, particularly those with editor roles enabled, are at risk. Shared hosting environments where multiple users share the same Grav CMS instance are especially vulnerable, as a compromised editor account could potentially impact other users on the same server. Legacy Grav CMS installations with outdated plugins or themes may also be at increased risk.
• php: Examine Grav CMS logs for unusual template rendering patterns or error messages related to the cleanDangerousTwig method. Look for attempts to inject code into template variables.
grep -i 'cleanDangerousTwig' /path/to/grav/user/logs/grav.log• generic web: Test endpoints that process user input for signs of template injection. Attempt to inject simple template commands (e.g., {{7*7}}) and observe the response.
curl -X POST -d "{{7*7}}" http://your-grav-site.com/your-endpoint• generic web: Check for unusual files or directories created within the Grav CMS installation that could indicate attacker activity.
find /path/to/grav -type f -not -path '*/cache/*' -printdisclosure
Exploit Status
EPSS
38.34% (97% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-66294 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing stricter access controls to limit editor permissions and carefully review any user input that is processed by the cleanDangerousTwig method. Web Application Firewalls (WAFs) configured to detect and block SSTI payloads can provide an additional layer of defense. Monitor Grav CMS logs for suspicious activity, particularly attempts to inject or execute arbitrary code. After upgrading, confirm the vulnerability is resolved by attempting a known exploitation technique and verifying it fails.
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de inyección de plantillas del lado del servidor (SSTI). La actualización se puede realizar a través del panel de administración de Grav o manualmente descargando la última versión y reemplazando los archivos existentes.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-66294 is a Remote Code Execution vulnerability in Grav CMS versions up to 1.8.0-beta.9, allowing attackers to potentially execute arbitrary commands on the server.
You are affected if you are running Grav CMS version 1.8.0-beta.9 or earlier. Verify your version and upgrade immediately if vulnerable.
Upgrade Grav CMS to version 1.8.0-beta.27 or later to remediate the vulnerability. Implement stricter access controls as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's nature suggests a high probability of exploitation in the near future.
Refer to the official Grav CMS security advisories on their website or GitHub repository for the latest information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.