CVE-2025-66302

Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.8.0-beta.27

Description Grav CMS contains a path traversal flaw. Authenticated attackers with administrative privileges can read arbitrary files on the server filesystem. This is due to inadequate input sanitization within the backup tool, where user-provided paths are not sufficiently restricted, allowing access to files outside the webroot directory. The impact of this issue is dependent on the privileges of the user account running the application.

Recommendations Update to version 1.8.0-beta.27 or later.