Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.

INFO

Published Date :

2025-12-01T21:03:07.231Z

Last Modified :

2025-12-02T14:06:13.212Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66296 vulnerability.

Vendors Products
Getgrav
  • Grav
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66296.

URL Resource
https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 cve-icon cve-icon
https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact