CVE-2025-66294
Published: 01 December 2025
Summary
CVE-2025-66294 is a high-severity Code Injection (CWE-94) vulnerability in Getgrav Grav. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the SSTI vulnerability by requiring effective input validation to reject or sanitize malicious template inputs bypassing the weak regex in cleanDangerousTwig.
Mandates timely flaw remediation, such as patching to Grav 1.8.0-beta.27, to correct the specific weak regex validation enabling arbitrary command execution.
Requires vulnerability scanning that would identify the SSTI flaw (CVE-2025-66294) in vulnerable Grav versions, enabling proactive detection and patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes Server-Side Template Injection (SSTI) in a public-facing web platform (Grav), directly enabling T1221 (Template Injection) for code execution and fitting T1190 (Exploit Public-Facing Application) for remote exploitation leading to arbitrary command execution.
NVD Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited…
more
by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.
Deeper analysisAI
CVE-2025-66294 is a Server-Side Template Injection (SSTI) vulnerability affecting Grav, a file-based web platform, in versions prior to 1.8.0-beta.27. The flaw arises from weak regex validation in the cleanDangerousTwig method, enabling template injection that can lead to arbitrary command execution on the server. It is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code ('Code Injection')) and CWE-1336 (Incorrect Handling of Deprecated Mobile Page).
Authenticated attackers with editor permissions can exploit this vulnerability remotely over the network with low complexity to execute arbitrary commands on the affected server. Under certain conditions, the issue may also be exploitable by unauthenticated attackers, potentially granting them the same high-impact privileges including high confidentiality, integrity, and availability effects.
The vulnerability is fixed in Grav version 1.8.0-beta.27. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f and the fixing commit at https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458.
Details
- CWE(s)