CVE-2025-66298: Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

December 2, 2025

Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.

References

github.com/advisories/GHSA-8535-hvm8-2hmv
github.com/getgrav/grav
github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458
github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv
nvd.nist.gov/vuln/detail/CVE-2025-66298

Code Behaviors & Features

Detect and mitigate CVE-2025-66298 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →