CVE-2025-66294
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
In short
Grav CMS has a vulnerability in its template engine that allows attackers with editor permissions to run malicious code on the server. The system's attempt to block dangerous commands is weak and can be bypassed.
Technical detail
Server-Side Template Injection (SSTI) in Grav's Twig template engine due to insufficient regex validation in the cleanDangerousTwig method. Authenticated attackers with editor permissions can execute arbitrary code; under specific conditions, unauthenticated access may also be possible. Fixed in version 1.8.0-beta.27.
Summary generated and translated by AI from the official description.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
getgrav · gravWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →