How to fix EUVD-2025-200110?

Within 24 hours: Inventory all Grav installations and their current versions; assess which systems have users with page editing privileges. Within 7 days: Apply the vendor patch to upgrade to Grav 1.8.0-beta.27 or later on all affected instances; conduct access reviews to identify unnecessary page editing permissions. Within 30 days: Reset all user passwords as a precautionary measure; enable multi-factor authentication; audit logs for unauthorized file access attempts.

Is Grav affected by EUVD-2025-200110?

A high-severity vulnerability in Grav CMS allows users with basic page editing permissions to access sensitive files, including encrypted user credentials and password reset tokens.

EUVD-2025-200110

| CVE-2025-66300 HIGH

2025-12-01 [email protected]

GHSA-p4ww-mcp9-j6f2

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 13:34 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 13:34 euvd

EUVD-2025-200110

Patch Released

Mar 15, 2026 - 13:34 nvd

Patch available

PoC Detected

Dec 03, 2025 - 15:45 vuln.today

Public exploit code

CVE Published

Dec 01, 2025 - 22:15 nvd

HIGH 8.5

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27.

Analysis

Technical Context

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

Affected Products

Affected products: Getgrav Grav

Remediation

A vendor patch is available — apply it immediately. Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +42

POC: +20

EUVD-2025-200110 vulnerability details – vuln.today

Back

EUVD-2025-200110

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-200110

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code