CVE-2025-66306
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66306, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-01

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-01
Last Modified
2025-12-03
Generated
2026-07-06
AI Q&A
2025-12-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 27 associated CPEs
Vendor Product Version / Range
getgrav grav From 1.7.48 (inc) to 1.8.0 (exc)
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0
getgrav grav 1.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Grav CMS Admin Panel prior to version 1.8.0-beta.27. It allows low-privilege users to access sensitive information from other user accounts, such as admin email addresses and metadata, even though they cannot directly take over those accounts.

Impact Analysis

The vulnerability can expose sensitive information like admin email addresses and metadata to unauthorized users. This exposure increases the risk of phishing attacks, credential stuffing, and social engineering, potentially compromising user security indirectly.

Mitigation Strategies

Upgrade Grav CMS Admin Panel to version 1.8.0-beta.27 or later, as this version contains the fix for the IDOR vulnerability. Until the upgrade can be applied, restrict low-privilege user access to the Admin Panel to minimize exposure of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart