CVE-2025-66301: Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions

December 2, 2025

Due to a broken access control vulnerability in the /admin/pages/{page_name} endpoint, an editor ( user with full permissions to pages ) can change the functionality of a form after submission.

References

github.com/advisories/GHSA-v8x2-fjv7-8hjh
github.com/getgrav/grav
github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh
nvd.nist.gov/vuln/detail/CVE-2025-66301

Code Behaviors & Features

Detect and mitigate CVE-2025-66301 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →