CVE-2025-66295— Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-66295
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Grav 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Grav是Grav开源的一套可扩展的用于个人博客、小型内容发布平台和单页产品展示的CMS(内容管理系统)。 Grav 1.8.0-beta.27之前版本存在路径遍历漏洞,该漏洞源于路径遍历序列导致账户YAML文件写入错误路径。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-66295
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-66295
请登录查看更多情报信息。
Same Patch Batch · getgrav · 2025-12-01 · 19 CVEs total
| CVE-2025-66299 | 8.8 HIGH | Security Sandbox Bypass with SSTI (Server Side Template Injection) in the Grav CMS |
| CVE-2025-66296 | 8.8 HIGH | Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check A |
| CVE-2025-66300 | 8.5 HIGH | Grav is vulnerable to Arbitrary File Read |
| CVE-2025-66302 | 6.8 MEDIUM | Grav vulnerable to Path Traversal allowing server files backup |
| CVE-2025-66307 | 6.5 MEDIUM | Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure |
| CVE-2025-66304 | 6.2 MEDIUM | Grav Exposes Password Hashes Leading to privilege escalation |
| CVE-2025-66303 | 4.9 MEDIUM | Grav is vulnerable to a DOS on the admin panel |
| CVE-2025-66306 | 4.3 MEDIUM | Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel |
| CVE-2025-66305 | Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter | |
| CVE-2025-66294 | Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass | |
| CVE-2025-66297 | Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig I | |
| CVE-2025-66311 | Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Mul | |
| CVE-2025-66309 | Grav vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], para | |
| CVE-2025-66312 | Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/account | |
| CVE-2025-66301 | Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatt | |
| CVE-2025-66308 | Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/ | |
| CVE-2025-66298 | Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms | |
| CVE-2025-66310 | Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parame |
IV. Related Vulnerabilities
Same product: grav
- CVE-2025-66312
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) S - CVE-2025-66311
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoin - CVE-2025-66310
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoin - CVE-2025-66309
Grav vulnerable to Cross-Site Scripting (XSS) Reflected endp - CVE-2025-66308
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) S
Same vendor: getgrav
- CVE-2020-36955
Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persisten - CVE-2021-47812
GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticate - CVE-2025-66312
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) S - CVE-2025-66311
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoin - CVE-2025-66310
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoin
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2025-66295
No comments yet