CVE-2025-66302: Grav vulnerable to Path Traversal allowing server files backup

December 2, 2025

A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers
with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due
to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling
access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of
the user account running the application.

References

github.com/advisories/GHSA-j422-qmxp-hv94
github.com/getgrav/grav
github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee
github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94
nvd.nist.gov/vuln/detail/CVE-2025-66302

Code Behaviors & Features

Detect and mitigate CVE-2025-66302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →