CVE-2025-66301 HIGH

CVE-2025-66301: Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

Vendor Getgrav

Product grav

Weakness CWE-285

Published December 1, 2025

Last update December 2, 2025

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.

Key dates

02Disclosure timeline

December 1, 2025 CVE published

December 2, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66301

Related vulnerabilities

CVE-2025-66301: Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

01Description

02Disclosure timeline

03References

04Related CVE