Grav CMS, a file-based web platform, contains a path traversal vulnerability identified as CVE-2025-66302, classified under CWE-22. This vulnerability exists in versions prior to 1.8.0-beta.27 due to improper limitation of pathname inputs in the backup tool component. Specifically, the backup tool fails to adequately sanitize user-supplied paths, allowing authenticated users with administrative privileges to traverse directories outside the intended webroot. This enables attackers to read arbitrary files on the underlying server filesystem, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability requires the attacker to have administrative privileges within Grav, meaning it cannot be exploited by unauthenticated users or those with lower privileges. The CVSS 3.1 base score is 6.8, reflecting a medium severity with a vector indicating network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change with high confidentiality impact but no integrity or availability impact. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to confidentiality if exploited. The issue is resolved in Grav version 1.8.0-beta.27 by implementing proper input validation and path restriction in the backup tool.

For European organizations using Grav CMS, this vulnerability could lead to unauthorized disclosure of sensitive files such as configuration files, private keys, or user data if an attacker with administrative access exploits the flaw. This could compromise the confidentiality of critical business information and potentially facilitate further attacks if sensitive credentials or secrets are exposed. Since Grav is a web platform often used for content management, affected organizations may include government agencies, educational institutions, and private enterprises relying on Grav for their web presence. The impact is particularly significant for organizations with strict data protection requirements under GDPR, as unauthorized data exposure could lead to regulatory penalties and reputational damage. However, the requirement for administrative privileges limits the attack surface to insiders or compromised admin accounts, reducing the likelihood of widespread exploitation. The vulnerability does not affect system integrity or availability directly but could be leveraged as part of a broader attack chain.

European organizations should immediately upgrade Grav CMS installations to version 1.8.0-beta.27 or later to remediate this vulnerability. Until the upgrade is applied, restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Conduct regular audits of administrative accounts and monitor for unusual file access patterns or backup tool usage. Implement web application firewall (WAF) rules to detect and block path traversal attempts targeting the backup tool endpoints. Additionally, consider isolating the Grav CMS environment and limiting file system permissions to minimize the impact of potential exploits. Regularly review and update backup and disaster recovery procedures to ensure integrity and confidentiality of backups. Finally, maintain an inventory of Grav CMS deployments within the organization to ensure all instances are patched promptly.