CVE-2025-66294

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav is a file-based Web platform susceptible to a Server-Side Template Injection (SSTI) issue. Authenticated attackers possessing editor permissions can execute arbitrary commands on the server. Under specific circumstances, unauthenticated attackers may also be able to exploit this issue. The root cause is weak regex validation within the cleanDangerousTwig method. This can potentially lead to remote code execution.

Recommendations Update to Grav version 1.8.0-beta.27 or later.