CVE-2025-66295

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav is a file-based Web platform. A user with user creation privileges can create a new user through the Admin UI and, by supplying a username containing path traversal sequences (for example ../Nijat or ..Nijat), cause Grav to write the account YAML file to an unintended path outside the user/accounts/ directory. The written YAML file can contain account fields such as email, fullname, twofa secret, and hashed password.

Recommendations Update to version 1.8.0-beta.27 or later.