CVE-2025-66296

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-12-01

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-12-01

Last Modified

2025-12-04

Generated

2026-06-16

AI Q&A

2025-12-01

EPSS Evaluated

2026-06-15

NVD

CVE-2025-66296

Affected Vendors & Products

Vendor	Product	Version / Range
getgrav	grav	From 1.7.49.5 (inc) to 1.8.0 (exc)
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0
getgrav	grav	1.8.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-266	A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Grav's Admin plugin before version 1.8.0-beta.27. It occurs because the system does not validate username uniqueness when creating new users. As a result, a user who has permission to create users can create a new account with the same username as an existing administrator, set a new password and email for that account, and then log in as that administrator. This allows the user to escalate their privileges from limited user-manager permissions to full administrator access.

Impact Analysis

This vulnerability can allow an attacker with limited permissions to gain full administrator access to the Grav platform. This means they can control the entire system, potentially modify or delete content, change configurations, and access sensitive data, leading to a complete compromise of the affected web platform.

Mitigation Strategies

Upgrade Grav to version 1.8.0-beta.27 or later, where the vulnerability is fixed. Until then, restrict the create user permission to trusted users only to prevent unauthorized creation of accounts with duplicate administrator usernames.

Hi! I’m here to help you understand CVE-2025-66296. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-66296

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart