Main Vulnerability Database Vulnerabilities #VU130071

Improper access control in Grav CMS - CVE-2025-66300

Published: May 5, 2026

Vulnerability identifier: #VU130071

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-66300

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Frontmatter form handling in /user/plugins/form/templates/forms/fields/display/display.html.twig when processing page content previews or published pages. A remote user can create or edit a form page with specially crafted frontmatter to disclose sensitive information.

The issue can expose arbitrary server files, including Grav account files that contain hashed passwords, 2FA secrets, and password reset tokens.

How to mitigate CVE-2025-66300

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2

Improper access control in Grav CMS - CVE-2025-66300

Detailed vulnerability description

How to mitigate CVE-2025-66300

Sources

Please verify you're human