CVE-2025-66298

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66298

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66298.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66298

Aliases

GHSA-8535-hvm8-2hmv

Published

2025-12-01T21:10:43.105Z

Modified

2026-04-10T05:34:16.138313Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

Details

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27.

Database specific

{
    "cwe_ids": [
        "CWE-1336"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66298.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/getgrav/grav

Affected ranges

Type: GIT
Repo: https://github.com/getgrav/grav
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0f879bd1d44863dfcf77d7cb640dab604a0dcce2

Affected versions

0.*

0.8.0

0.9.0

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

1.*

1.1.0-beta.1

1.1.0-beta.2

1.1.0-beta.3

1.1.0-beta.4

1.1.0-beta.5

1.1.0-rc.1

1.1.0-rc.2

1.1.0-rc.3

1.1.9-rc.1

1.1.9-rc.2

1.1.9-rc.3

1.2.0-rc.1

1.2.0-rc.2

1.2.0-rc.3

1.3.0-rc.1

1.3.0-rc.3

1.3.0-rc.4

1.3.0-rc.5

1.5.0-beta.1

1.5.0-beta.2

1.5.0-rc.1

1.6.0-beta.1

1.6.0-beta.2

1.6.0-beta.5

1.6.0-beta.6

1.6.0-beta.7

1.6.0-beta.8

1.6.0-rc.1

1.6.0-rc.2

1.6.0-rc.3

1.6.0-rc.4

1.7.0-beta.1

1.7.0-beta.10

1.7.0-beta.2

1.7.0-beta.3

1.7.0-beta.4

1.7.0-beta.5

1.7.0-beta.6

1.7.0-beta.7

1.7.0-beta.8

1.7.0-beta.9

1.7.0-rc.1

1.7.0-rc.10

1.7.0-rc.12

1.7.0-rc.13

1.7.0-rc.14

1.7.0-rc.15

1.7.0-rc.17

1.7.0-rc.18

1.7.0-rc.19

1.7.0-rc.2

1.7.0-rc.20

1.7.0-rc.3

1.7.0-rc.4

1.7.0-rc.5

1.7.0-rc.6

1.7.0-rc.7

1.7.0-rc.8

1.7.0-rc.9

1.8.0-beta.1

1.8.0-beta.10

1.8.0-beta.11

1.8.0-beta.12

1.8.0-beta.13

1.8.0-beta.14

1.8.0-beta.15

1.8.0-beta.16

1.8.0-beta.17

1.8.0-beta.18

1.8.0-beta.19

1.8.0-beta.2

1.8.0-beta.20

1.8.0-beta.21

1.8.0-beta.22

1.8.0-beta.23

1.8.0-beta.24

1.8.0-beta.25

1.8.0-beta.26

1.8.0-beta.3

1.8.0-beta.4

1.8.0-beta.5

1.8.0-beta.6

1.8.0-beta.7

1.8.0-beta.8

1.8.0-beta.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66298.json"