What is the CVSS score of CVE-2025-66306?

CVE-2025-66306 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Grav are affected by CVE-2025-66306?

Organizations using Grav should be aware of moderate risk from CVE-2025-66306, a IDOR vulnerability rated CVSS 4.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-66306?

Yes, a public proof-of-concept exploit is available for CVE-2025-66306. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-66306?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Grav CVE-2025-66306

EUVD-2025-200104 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2025-12-01 security-advisories@github.com

GHSA-4cwq-j7jv-qmwg

Authentication Bypass Grav

4.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 13:34 euvd

EUVD-2025-200104

Analysis Generated

Mar 15, 2026 - 13:34 vuln.today

Patch released

Mar 15, 2026 - 13:34 nvd

Patch available

PoC Detected

Dec 03, 2025 - 18:45 vuln.today

Public exploit code

CVE Published

Dec 01, 2025 - 22:15 nvd

MEDIUM 4.3

DescriptionGitHub Advisory

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27.

Analysis

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Authorization Bypass Through User-Controlled Key (CWE-639).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2025-66306 vulnerability details – vuln.today

Back

Grav CVE-2025-66306

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code