EUVD-2025-200103

| CVE-2025-66307 MEDIUM
2025-12-01 [email protected] GHSA-q3qx-cp62-f6m7
Information Disclosure Grav Plugin Admin
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Mar 15, 2026 - 13:34 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 13:34 euvd
EUVD-2025-200103
Patch Released
Mar 15, 2026 - 13:34 nvd
Patch available
PoC Detected
Dec 03, 2025 - 21:58 vuln.today
Public exploit code
CVE Published
Dec 01, 2025 - 22:15 nvd
MEDIUM 6.5

DescriptionNVD

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1.

AnalysisAI

A security vulnerability in This admin (CVSS 6.5). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type not specified by vendor. Affects This admin.

RemediationAI

Apply the vendor-supplied patch immediately.

Share

EUVD-2025-200103 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy