CVE-2025-66297: Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

December 2, 2025

A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.

References

github.com/advisories/GHSA-858q-77wx-hhx6
github.com/getgrav/grav
github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6
nvd.nist.gov/vuln/detail/CVE-2025-66297

Code Behaviors & Features

Detect and mitigate CVE-2025-66297 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →