Observable Response Discrepancy in Grav CMS - CVE-2025-66307
Published: May 5, 2026
Vulnerability identifier: #VU130055
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-66307
CWE-ID: CWE-204
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Grav CMS
Affected software:
Grav CMS
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote attacker to enumerate valid usernames and disclose associated email addresses.
The vulnerability exists due to observable response discrepancy in the taskForgot() function of the Admin plugin login controller when handling password reset requests to /admin/forgot. A remote attacker can submit repeated password reset requests with crafted usernames to enumerate valid usernames and disclose associated email addresses.
Exploitation requires the password reset functionality to be enabled.
How to mitigate CVE-2025-66307
Install security update from vendor's website.