CVE-2025-66299
Published: 01 December 2025
Summary
CVE-2025-66299 is a high-severity Code Injection (CWE-94) vulnerability in Getgrav Grav. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through patching to Grav CMS 1.8.0-beta.27 directly eliminates the SSTI vulnerability and sandbox bypass.
Validating and sanitizing user-supplied Twig template directives prevents injection of malicious code that bypasses the sandbox.
Enforcing least privilege restricts editor permissions to trusted users only, reducing the attack surface for SSTI exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI vulnerability allows authenticated low-privilege editors to bypass Grav CMS sandbox via malicious Twig templates, enabling RCE. Maps to exploitation of public-facing application (T1190), template injection (T1221), and exploitation for privilege escalation (T1068).
NVD Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox.…
more
Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.
Deeper analysisAI
CVE-2025-66299 is a Server-Side Template Injection (SSTI) vulnerability in Grav CMS, a file-based web platform. It affects versions prior to 1.8.0-beta.27, where the existing security sandbox does not fully protect the Twig templating object. This allows interaction with the Twig object—such as calling methods or reading/writing attributes—through maliciously crafted Twig template directives injected into a web page. Attackers can add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the sandbox.
Any authenticated user with editor permissions can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting the malicious Twig directives, they achieve arbitrary code execution on the remote server. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, with associated CWEs CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Incorrect Handling of Shared Resources).
The vulnerability is addressed in Grav CMS 1.8.0-beta.27. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x and the fixing commit at https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458.
Details
- CWE(s)