CVE-2025-66297
Published: 01 December 2025
Summary
CVE-2025-66297 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Getgrav Grav. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this CVE by mandating patching to version 1.8.0-beta.27 which fixes the Twig processing vulnerability.
SI-10 enforces validation of information inputs like page frontmatter, preventing injection of malicious Twig expressions that enable privilege escalation and RCE.
AC-6 least privilege limits admin panel and page edit permissions to only necessary users, reducing the attack surface for exploitation of this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables template injection (T1221) via malicious Twig expressions in page frontmatter, allowing exploitation for privilege escalation (T1068) by updating user access levels (T1098: Account Manipulation) and remote code execution (T1059) through the scheduler API for arbitrary system commands.
NVD Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user…
more
can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
Deeper analysisAI
CVE-2025-66297 is a vulnerability in Grav, a file-based web platform, affecting versions prior to 1.8.0-beta.27. It stems from the ability of a user with admin panel access and permissions to create or edit pages to enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, this enables both privilege escalation and remote code execution via the scheduler API. The issue is classified under CWE-1336 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The attack requires low privileges—an authenticated user with admin panel access and page creation or editing rights—and can be carried out over the network with low complexity and no user interaction. Exploitation allows the attacker to escalate privileges to full administrator level or execute arbitrary system commands through the scheduler API, compromising confidentiality, integrity, and availability at a high level.
Grav addresses this vulnerability in version 1.8.0-beta.27. Mitigation details are available in the GitHub security advisory at GHSA-858q-77wx-hhx6 and the fixing commit e37259527d9c1deb6200f8967197a9fa587c6458. Security practitioners should upgrade to the patched version to remediate the issue.
Details
- CWE(s)