CVE-2025-66299

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav CMS is susceptible to a Server-Side Template Injection (SSTI) issue. An authenticated user with editor permissions can execute arbitrary code on the remote server, bypassing the security sandbox. The existing security sandbox does not fully protect the Twig object, allowing interaction through maliciously crafted Twig template directives. This enables an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe filters, effectively bypassing the Grav CMS sandbox.

Recommendations Update to Grav version 1.8.0-beta.27 or later.