CVE-2025-66302 is a path traversal vulnerability classified under CWE-22 affecting Grav CMS, a file-based web platform. The vulnerability exists in versions prior to 1.8.0-beta.27 within the backup tool component, where user-supplied paths are not properly sanitized or restricted to the intended webroot directory. This flaw allows authenticated attackers with administrative privileges to manipulate file paths and access arbitrary files on the underlying server filesystem outside the webroot. Since Grav CMS is file-based, unauthorized file reads can expose sensitive configuration files, credentials, or other critical data, compromising confidentiality. The vulnerability does not permit modification or deletion of files, nor does it affect system availability. Exploitation requires administrative authentication but no additional user interaction, and the attack can be performed remotely over the network. The vulnerability was publicly disclosed on December 1, 2025, with no known exploits in the wild at the time of publication. The issue is resolved in Grav CMS version 1.8.0-beta.27 by implementing proper input validation and path restriction mechanisms in the backup tool. The CVSS v3.1 base score is 6.8, reflecting a medium severity due to the high impact on confidentiality and the requirement for high privileges but ease of network exploitation without user interaction.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on Grav CMS platforms. Unauthorized file disclosure could lead to leakage of critical information such as configuration files, database credentials, or personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Since Grav CMS is used by various small to medium enterprises and public sector websites across Europe, exploitation could disrupt trust and operational security. The requirement for administrative privileges limits the attack surface to insiders or compromised admin accounts, but the ease of exploitation once authenticated increases risk. The vulnerability does not affect data integrity or availability, so direct service disruption is unlikely. However, the exposure of sensitive files could facilitate further attacks, including privilege escalation or lateral movement within networks. Organizations handling personal or confidential data should consider this vulnerability a priority for remediation to maintain compliance and security posture.

European organizations should immediately upgrade Grav CMS installations to version 1.8.0-beta.27 or later, where the vulnerability is patched. Until upgrades can be applied, restrict administrative access to the Grav CMS backend using strong authentication mechanisms such as multi-factor authentication (MFA) and IP whitelisting to reduce the risk of credential compromise. Conduct regular audits of administrative accounts and monitor logs for unusual file access patterns indicative of exploitation attempts. Implement web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the backup tool endpoints. Additionally, isolate Grav CMS servers within segmented network zones with limited access to sensitive backend systems and files. Educate administrators on the risks of this vulnerability and enforce the principle of least privilege to minimize the number of users with administrative rights. Finally, perform regular backups and verify their integrity to ensure recovery capability in case of compromise.