MeldSecurity
Press Enter to search
CVE Database & Search β†’
Sign In Get Started

CVE-2025-66301

🚨 CRITICAL

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permis...

Published
Dec 01, 2025
Last Modified
Dec 03, 2025
Views
16
Bookmarks
0

Description

Request Expert Review

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Affected Products (27)

getgrav - grav

Version: *

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

getgrav - grav

Version: 1.8.0

CVSS Scores

CVSS 3.1 9.6
9.6
CRITICAL
CVSS 2.0 9.6

References

github.com github.com

Additional Information

Source
security-advisories@github.com
State
Analyzed

Related CVEs

CVE-2026-1139

HIGH

A vulnerability has been found in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The...

Score: 8.8

CVE-2026-1138

HIGH

A flaw has been found in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can...

Score: 8.8

CVE-2026-1137

HIGH

A vulnerability was detected in UTT 进取 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig....

Score: 8.8

CVE-2026-1136

LOW

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bCont...

Score: 3.5

CVE-2026-1135

MEDIUM

A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. T...

Score: 4.3

CVE-2026-1134

MEDIUM

A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The ma...

Score: 4.3

Share CVE-2025-66301

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2025-66301 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis