CVE-2025-66307
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-01

Last updated on: 2025-12-03

Assigner: GitHub, Inc.

Description
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-01
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-12-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66307
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav-plugin-admin to 1.10.50 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the admin plugin for Grav prior to version 1.11.0-beta.1. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses.

Impact Analysis

An attacker can use this vulnerability to enumerate valid users and obtain their email addresses. This information can be leveraged for targeted attacks such as password spraying, phishing, or social engineering, potentially compromising user accounts and system security.

Mitigation Strategies

Upgrade the Grav admin plugin to version 1.11.0-beta.1 or later, as this version fixes the user enumeration and email disclosure vulnerability in the "Forgot Password" functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart