MeldSecurity
Press Enter to search
CVE Database & Search β†’
Sign In Get Started

CVE-2025-66296

πŸ”΄ HIGH

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users....

Published
Dec 01, 2025
Last Modified
Dec 04, 2025
Views
2
Bookmarks
0

Description

Request Expert Review

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.

Affected Products (27)

getgrav - grav

Version: *

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

CVSS Scores

CVSS 3.1 8.8
8.8
HIGH
CVSS 2.0 8.8

References

github.com github.com

Additional Information

Source
security-advisories@github.com
State
Analyzed

Related CVEs

CVE-2025-8405

HIGH

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that...

Score: 8.7

CVE-2025-4097

MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could...

Score: 6.5

CVE-2025-11984

MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could h...

Score: 6.8

CVE-2025-11247

MEDIUM

GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have...

Score: 4.3

CVE-2025-9436

MEDIUM

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versio...

Score: 6.4

CVE-2025-14157

MEDIUM

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could ha...

Score: 6.5

Share CVE-2025-66296

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2025-66296 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis