CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2025-66296

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 8.5%

CVSS Severity

CVSS v3 Score 8.8

References

https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741
https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm

Products affected by CVE-2025-66296

Getgrav » Grav » Version: 1.7.49.5

cpe:2.3:a:getgrav:grav:1.7.49.5
Getgrav » Grav » Version: 1.8.0

cpe:2.3:a:getgrav:grav:1.8.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-66296

Products

Pricing

Contact Us