CVE-2025-66305
CVE-2025-66305 is a medium-severity vulnerability in Getgrav Grav with a CVSS 3.x base score of 4.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-248.
Key facts
- Severity: Medium (CVSS 3.x base score 4.9)
- CVSS v4: 6.9
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-200105
- Weakness: CWE-248
- Affected product: Getgrav Grav
- Published:
- Last modified:
Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.
Frequently asked questions
- What is CVE-2025-66305?
- Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27.
- How severe is CVE-2025-66305?
- CVE-2025-66305 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2025-66305 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-66305?
- CVE-2025-66305 primarily affects Getgrav Grav. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-66305?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-66305 have an EU (EUVD) identifier?
- Yes. CVE-2025-66305 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-200105.
- When was CVE-2025-66305 published?
- CVE-2025-66305 was published on 2025-12-01 and last updated on 2026-06-17.
References
- https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee
- https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6
Affected products (27)
- cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta15:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta16:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta17:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta18:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta19:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta20:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta21:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta22:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta23:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta24:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta25:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta26:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.8.0:beta9:*:*:*:*:*:*
More vulnerabilities in Getgrav Grav
- CVE-2023-34251 — Critical (CVSS 9.9): Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template…
- CVE-2021-47812 — Critical (CVSS 9.8): GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML…
- CVE-2025-46199 — Critical (CVSS 9.8): Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a…
- CVE-2025-66301 — Critical (CVSS 9.6): Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical…
- CVE-2026-42608 — Critical (CVSS 9.1): Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash…
- CVE-2025-66844 — Critical (CVSS 9.1): In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is…
All CVEs affecting Getgrav Grav →
Other CWE-248 vulnerabilities
- CVE-2018-11466 — Critical (CVSS 9.8): A vulnerability has been identified in SINUMERIK 808D V4.7 (All versions), SINUMERIK 808D V4.8 (All versions),…
- CVE-2024-42037 — Critical (CVSS 9.3): Vulnerability of uncaught exceptions in the Graphics module Impact: Successful exploitation of this vulnerability may…
- CVE-2025-53620 — Critical (CVSS 9.2): @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the…
- CVE-2026-46689 — High (CVSS 8.7): Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/...…
- CVE-2026-9509 — High (CVSS 8.7): An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an…
- CVE-2025-9124 — High (CVSS 8.7): A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a…