CVE-2025-66307: Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
A user enumeration and email disclosure vulnerability exists in Grav v1.7.49.5 with Admin plugin v1.10.49.1.
The “Forgot Password” functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses.
This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering.
References
- github.com/advisories/GHSA-q3qx-cp62-f6m7
- github.com/getgrav/grav
- github.com/getgrav/grav-plugin-admin/blob/6d673fc7c4f6962756f93ae651371e81f7f20924/classes/plugin/Controllers/Login/LoginController.php
- github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0
- github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7
- nvd.nist.gov/vuln/detail/CVE-2025-66307
Code Behaviors & Features
Detect and mitigate CVE-2025-66307 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →