Reconnecting to live updates…

CVE-2025-66295: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in getgrav grav

High

VulnerabilityCVE-2025-66295cve cve-2025-66295 cwe-22

Published: Mon Dec 01 2025 (12/01/2025, 20:46:56 UTC)

Source: CVE Database V5

Vendor/Project: getgrav

Product: grav

Description

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27.

Technical Details

Data Version: 5.2
Assigner Short Name: GitHub_M
Date Reserved: 2025-11-26T23:11:46.393Z
Cvss Version: 3.1
State: PUBLISHED

Threat ID: 692e0147821c4e4a8f8d8923

Added to database: 12/1/2025, 8:57:43 PM

Last updated: 12/1/2025, 8:58:30 PM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.