← Back

CVE-2025-66296

nvd nist
Published: Dec 1, 2025Modified: Dec 4, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27.

Affected (27)

Products: Getgrav: Grav
Getgrav
1 product
Grav
Configuration A
27 vulnerable
Vulnerable SoftwareAffected Versions
Getgrav
Grav
From 1.7.49.5 to 1.8.0
Grav
Version 1.8.0 beta10
Grav
Version 1.8.0 beta11
Grav
Version 1.8.0 beta12
Grav
Version 1.8.0 beta13
Grav
Version 1.8.0 beta14
Grav
Version 1.8.0 beta15
Grav
Version 1.8.0 beta16
Grav
Version 1.8.0 beta17
Grav
Version 1.8.0 beta18
Grav
Version 1.8.0 beta19
Grav
Version 1.8.0 beta1
Grav
Version 1.8.0 beta20
Grav
Version 1.8.0 beta21
Grav
Version 1.8.0 beta22
Grav
Version 1.8.0 beta23
Grav
Version 1.8.0 beta24
Grav
Version 1.8.0 beta25
Grav
Version 1.8.0 beta26
Grav
Version 1.8.0 beta2
Grav
Version 1.8.0 beta3
Grav
Version 1.8.0 beta4
Grav
Version 1.8.0 beta5
Grav
Version 1.8.0 beta6
Grav
Version 1.8.0 beta7
Grav
Version 1.8.0 beta8
Grav
Version 1.8.0 beta9

Related CWEs

CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (2)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.