getgrav/grav Security Advisories for 1.8.0-beta.2 (19)
-
[HIGH] Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
PKSA-b17c-1fcn-dgtx CVE-2025-66298 GHSA-8535-hvm8-2hmv
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
PKSA-cyrn-zc8g-f5mw CVE-2025-66294 GHSA-662m-56v4-3r8f
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
PKSA-6ybw-qvkx-41s3 CVE-2025-66310 GHSA-7g78-5g5g-mvfj
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
PKSA-fhbw-8kkc-q4g7 CVE-2025-66309 GHSA-65mj-f7p4-wggq
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
PKSA-69s1-6gdk-gbrs CVE-2025-66297 GHSA-858q-77wx-hhx6
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
PKSA-j9sn-rww3-fk26 CVE-2025-66308 GHSA-gqxx-248x-g29f
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
PKSA-87p7-31n6-n4f3 CVE-2025-66295 GHSA-h756-wh59-hhjv
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
PKSA-nbf5-vjfz-hnnq CVE-2025-66305 GHSA-m8vh-v6r6-w7p6
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
PKSA-rdds-1cns-2prg CVE-2025-66306 GHSA-4cwq-j7jv-qmwg
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav vulnerable to Path Traversal allowing server files backup
PKSA-pps4-ft6r-rq3g CVE-2025-66302 GHSA-j422-qmxp-hv94
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
PKSA-kdts-d57h-cyfm CVE-2025-66307 GHSA-q3qx-cp62-f6m7
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
PKSA-w4p2-x7q2-ymxv CVE-2025-66312 GHSA-rmw5-f87r-w988
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
PKSA-mhn3-t14t-g84c CVE-2025-66311 GHSA-mpjj-4688-3fxg
Affected version: <1.11.0-beta.1
Reported by:
GitHub -
[MEDIUM] Grav Exposes Password Hashes Leading to privilege escalation
PKSA-gsfs-x94c-47x5 CVE-2025-66304 GHSA-gq3g-666w-7h85
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[MEDIUM] Grav is vulnerable to a DOS on the admin panel
PKSA-v47z-3557-jjwp CVE-2025-66303 GHSA-x62q-p736-3997
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
PKSA-8gyx-1dyf-y75r CVE-2025-66301 GHSA-v8x2-fjv7-8hjh
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav is vulnerable to Arbitrary File Read
PKSA-82ft-1nmh-cs67 CVE-2025-66300 GHSA-p4ww-mcp9-j6f2
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
PKSA-83gv-619f-b6h7 CVE-2025-66299 GHSA-gjc5-8cfh-653x
Affected version: <1.8.0-beta.27
Reported by:
GitHub -
[HIGH] Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
PKSA-h4jv-pmqx-9phz CVE-2025-66296 GHSA-cjcp-qxvg-4rjm
Affected version: <1.8.0-beta.27
Reported by:
GitHub