CVE-2025-66294: Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

December 2, 2025

A Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method.

References

github.com/advisories/GHSA-662m-56v4-3r8f
github.com/getgrav/grav
github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f
nvd.nist.gov/vuln/detail/CVE-2025-66294

Code Behaviors & Features

Detect and mitigate CVE-2025-66294 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →