Main Vulnerability Database Vulnerabilities #VU130069

Information disclosure in Grav CMS - CVE-2025-66304

Published: May 5, 2026

Vulnerability identifier: #VU130069

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66304

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to exposure of sensitive information in the user account management section of the admin panel when handling requests to view user account details. A remote privileged user can inspect the page source to obtain password hashes and crack them to escalate privileges.

The password hashes of all users, including the admin user, can be exposed to an account with read access to user accounts.

How to mitigate CVE-2025-66304

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85

Information disclosure in Grav CMS - CVE-2025-66304

Detailed vulnerability description

How to mitigate CVE-2025-66304

Sources

Please verify you're human