CVE-2025-66296

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav’s Admin plugin contains a flaw where the creation of new user accounts does not validate username uniqueness. This allows a user with create user permission to create an account with the same username as an existing administrator account, effectively gaining administrator access through privilege escalation. The username is not properly validated during account creation, allowing an attacker to overwrite administrator credentials with a new password and email.

Recommendations Update to Grav version 1.8.0-beta.27 or later.