1.8.1
1.8.0-beta.27
CVE-2025-66300 describes an Arbitrary File Access vulnerability discovered in Grav CMS. This flaw allows authenticated, low-privilege users with page editing privileges to read arbitrary files on the server through the "Frontmatter" form. Critically, this includes access to Grav user account files, potentially exposing hashed passwords, 2FA secrets, and password reset tokens, impacting versions 1.8.0-beta.9 and earlier. A fix is available in version 1.8.0-beta.27.
The primary impact of CVE-2025-66300 is the potential for account compromise. An attacker exploiting this vulnerability can gain access to user account files, which contain sensitive information like hashed passwords, two-factor authentication (2FA) secrets, and password reset tokens. With access to these credentials, an attacker could reset passwords, bypass 2FA, and ultimately gain full control over user accounts within the Grav CMS installation. This could lead to data breaches, unauthorized modifications to the website, and potential defacement. The blast radius extends to all user accounts within the affected Grav CMS instance, making it a significant security risk.
CVE-2025-66300 was publicly disclosed on December 2, 2025. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 8.5 (HIGH) indicates a significant risk, warranting prompt remediation.
Websites and applications utilizing Grav CMS versions 1.8.0-beta.9 and earlier are at risk. This includes organizations hosting Grav CMS instances on shared hosting environments, as the vulnerability allows for file access regardless of user privileges. Additionally, deployments with default configurations or those lacking robust file access controls are particularly vulnerable.
• php / server:
find /var/www/grav/user/plugins/form/templates/forms/fields/display/ -name 'display.html.twig' -print0 | xargs -0 grep -i 'frontmatter'• php / server:
journalctl -u grav -f | grep -i "Frontmatter"• generic web:
Use curl to test for access to sensitive files. If the CMS is configured with default settings, attempt to access /grav/user/accounts/*.yaml via a browser or curl. A successful response indicates potential exploitation.
• generic web:
Review access logs for unusual file access patterns, particularly requests targeting files within the /grav/user/accounts/ directory.
disclosure
漏洞利用状态
EPSS
0.08% (23% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-66300 is to immediately upgrade Grav CMS to version 1.8.0-beta.27 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restricting access to the "Frontmatter" form or implementing stricter file access controls on the server could reduce the attack surface. Web Application Firewalls (WAFs) configured to block requests targeting sensitive files or unusual file access patterns may also provide some protection. After upgrading, verify the fix by attempting to access user account files through the "Frontmatter" form; access should be denied.
Actualice Grav a la versión 1.8.0-beta.27 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos. La actualización se puede realizar a través del panel de administración de Grav o manualmente descargando la última versión y reemplazando los archivos existentes.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-66300 is a HIGH severity vulnerability allowing low-privilege users to read sensitive files in Grav CMS versions ≤1.8.0-beta.9, potentially exposing user account data.
Yes, if you are running Grav CMS version 1.8.0-beta.9 or earlier, you are vulnerable to this Arbitrary File Access flaw.
Upgrade Grav CMS to version 1.8.0-beta.27 or later to remediate the vulnerability. Consider temporary workarounds like restricting access to the 'Frontmatter' form if immediate upgrade is not possible.
As of December 2, 2025, there is no confirmed evidence of active exploitation campaigns targeting CVE-2025-66300.
Refer to the official Grav CMS security advisory for detailed information and updates regarding CVE-2025-66300.