What is the CVSS score of CVE-2025-66304?

CVE-2025-66304 has a CVSS 3.1 base score of 6.2 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Grav are affected by CVE-2025-66304?

Organizations using Grav should be aware of moderate risk from CVE-2025-66304, a information exposure vulnerability rated CVSS 6.2. Sensitive information could be exposed to unauthorized parties.. A patch is available.

Is there a public PoC exploit available for CVE-2025-66304?

Yes, a public proof-of-concept exploit is available for CVE-2025-66304. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-66304?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Grav CVE-2025-66304

EUVD-2025-200106 MEDIUM

Information Exposure (CWE-200)

2025-12-01 security-advisories@github.com

GHSA-gq3g-666w-7h85

Information Disclosure Privilege Escalation Grav

6.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.2 MEDIUM

AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 13:34 euvd

EUVD-2025-200106

Analysis Generated

Mar 15, 2026 - 13:34 vuln.today

Patch released

Mar 15, 2026 - 13:34 nvd

Patch available

PoC Detected

Dec 03, 2025 - 18:57 vuln.today

Public exploit code

CVE Published

Dec 01, 2025 - 22:15 nvd

MEDIUM 6.2

DescriptionGitHub Advisory

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.

Analysis

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2025-66304 vulnerability details – vuln.today

Back

Grav CVE-2025-66304

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code