QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66298

Published: Dec 1, 2025

Modified: Dec 2, 2025

PUBLISHED

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27.

Vendor	Product	Versions
getgrav	grav	affected `< 1.8.0-beta.27`

Weaknesses (CWE)

References

https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.