CVE-2025-66304

6.2 MEDIUM
Published: December 01, 2025 Modified: December 03, 2025
View on NVD

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7
Source: security-advisories@github.com
Patch
https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85
Source: security-advisories@github.com
Exploit Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.2 / 10.0
EPSS (Exploit Probability)
0.1%
16th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-200 CWE-201

Affected Vendors

getgrav

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A