CVE-2025-66300 is a path traversal vulnerability (CWE-22) identified in Grav, a popular file-based web content management system. The flaw exists in versions prior to 1.8.0-beta.27 and allows a low-privilege user with page editing capabilities to exploit the 'Frontmatter' form to read arbitrary files on the server. This is achieved by improperly limiting pathname access, enabling traversal outside the intended directory scope. Critically, this includes access to Grav user account files stored in /grav/user/accounts/*.yaml, which contain sensitive information such as hashed passwords, two-factor authentication (2FA) secrets, and password reset tokens. An attacker can leverage this information to compromise user accounts by either resetting passwords using the exposed tokens or attempting offline cracking of the hashed passwords. The vulnerability does not require user interaction but does require the attacker to have at least page editing privileges, which may be granted to low-privilege users in some deployments. The CVSS 3.1 base score is 8.5, reflecting high severity due to the ease of exploitation over the network (AV:N), low attack complexity (AC:L), and the significant confidentiality impact (C:H). The vulnerability has a limited impact on integrity (I:N) and availability (A:L). No known exploits in the wild have been reported yet. The issue was publicly disclosed on December 1, 2025, and fixed in Grav version 1.8.0-beta.27. The vulnerability highlights the risk of insufficient input validation and directory traversal protections in web platforms that handle user-generated content and configuration files.

For European organizations using Grav versions prior to 1.8.0-beta.27, this vulnerability poses a significant risk to the confidentiality of user credentials and authentication secrets. Unauthorized access to hashed passwords and 2FA secrets can lead to account takeover, enabling attackers to impersonate legitimate users and escalate privileges. This can result in unauthorized content modification, data leakage, and potential lateral movement within the network. The ability to reset passwords using leaked tokens further exacerbates the risk, potentially bypassing other security controls. Organizations relying on Grav for public-facing websites or internal portals may face reputational damage, regulatory compliance issues (e.g., GDPR breaches due to unauthorized access), and operational disruptions. The limited impact on integrity and availability means the primary concern is unauthorized data disclosure and account compromise rather than service disruption. The vulnerability is particularly critical in environments where multiple users have page editing privileges, increasing the attack surface.

The primary mitigation is to upgrade Grav installations to version 1.8.0-beta.27 or later, where the vulnerability is patched. Until the upgrade can be performed, organizations should restrict page editing privileges strictly to trusted users and review user roles to minimize the number of accounts with such access. Implementing strict input validation and sanitization on user-supplied data, especially in the 'Frontmatter' form, can reduce exploitation risk. Monitoring and logging access to sensitive files and unusual file read patterns can help detect exploitation attempts. Additionally, enforcing strong password policies and multi-factor authentication can mitigate the impact of compromised credentials. Regularly auditing Grav user account files and resetting passwords for accounts with suspicious activity is recommended. Network segmentation and web application firewalls (WAFs) configured to detect path traversal attempts may provide additional defense layers. Finally, organizations should maintain an incident response plan to quickly address potential breaches stemming from this vulnerability.