CVE-2025-66301

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav is a file-based Web platform. Improper authorization checks when modifying critical fields on a POST request to the /admin/pages/{page name} endpoint allow an editor with limited permissions to alter the functionality of forms. This is achieved by modifying the data[ json][header][form] parameter, which contains YAML frontmatter including the process section. The process section controls actions performed after form submission, potentially leading to further issues. The page name is a variable representing the target page.

Recommendations Update to version 1.8.0-beta.27 or later.