PT-2025-48556 · Twig+2 · Twig+2
Published
2025-12-01
·
Updated
2025-12-02
·
CVE-2025-66297
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Grav versions prior to 1.8.0-beta.27
Description
A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, a user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This can lead to Privilege Escalation and Remote Code Execution.
Recommendations
Update to version 1.8.0-beta.27 or later.
Exploit
Fix
LPE
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Grav
Grav Cms
Twig