CVE-2025-66303
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2025-12-03
Generated
2026-05-07
AI Q&A
2025-12-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66303
Affected Vendors & Products
Showing 27 associated CPEs
Vendor Product Version / Range
getgrav grav to 1.8.0 (exc)
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Grav, a file-based web platform, involves improper sanitization of the scheduled_at parameter used for cron expressions. By injecting malicious input such as a single quote into this parameter, the admin panel becomes non-functional, causing a Denial of Service (DoS). Recovery requires manual modification of the backup.yaml file on the host server. The issue is fixed in version 1.8.0-beta.27.


How can this vulnerability impact me? :

The vulnerability can cause a Denial of Service (DoS) by making the Grav admin panel non-functional, which disrupts administrative operations. This can lead to significant operational downtime and requires manual intervention on the host server to fix the corrupted cron expression.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Grav to version 1.8.0-beta.27 or later. If the admin panel is already non-functional due to this issue, manually access the host server and modify the backup.yaml file to correct the corrupted cron expression caused by the malicious scheduled_at parameter input.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart