CVE-2025-66303
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-12-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66303
Affected Vendors & Products
Showing 27 associated CPEs
Vendor Product Version / Range
getgrav grav to 1.8.0 (exc)
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Grav, a file-based web platform, involves improper sanitization of the scheduled_at parameter used for cron expressions. By injecting malicious input such as a single quote into this parameter, the admin panel becomes non-functional, causing a Denial of Service (DoS). Recovery requires manual modification of the backup.yaml file on the host server. The issue is fixed in version 1.8.0-beta.27.

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by making the Grav admin panel non-functional, which disrupts administrative operations. This can lead to significant operational downtime and requires manual intervention on the host server to fix the corrupted cron expression.

Mitigation Strategies

To mitigate this vulnerability, upgrade Grav to version 1.8.0-beta.27 or later. If the admin panel is already non-functional due to this issue, manually access the host server and modify the backup.yaml file to correct the corrupted cron expression caused by the malicious scheduled_at parameter input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66303. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart