CVE-2025-66304 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information) and CWE-201 (Information Exposure Through Sent Data) affecting the Grav web platform versions prior to 1.8.0-beta.27. Grav is a flat-file CMS that stores content and configuration in files rather than a database. The vulnerability arises because users who have read access to the user account management section of the admin panel can view password hashes of all users, including the administrator account. These password hashes, if exposed, can be subjected to offline brute-force or dictionary attacks to recover plaintext passwords. Successful cracking of these hashes can lead to privilege escalation, allowing attackers to gain administrative control over the Grav installation. The vulnerability requires the attacker to have read privileges on the admin panel's user management section, which implies that the attacker already has some level of authorized access, but not necessarily administrative privileges. The CVSS v3.1 base score is 6.2 (medium), reflecting the network attack vector, high attack complexity, requirement for privileges, no user interaction, and high impact on confidentiality and integrity with low impact on availability. The vulnerability was publicly disclosed on December 1, 2025, and fixed in version 1.8.0-beta.27. There are no known exploits in the wild at this time. The lack of patch links suggests users must obtain the fixed version directly from the vendor. This vulnerability highlights the importance of strict access control and secure handling of password hashes within web applications.

For European organizations using Grav CMS, this vulnerability poses a significant risk to the confidentiality and integrity of user credentials. Exposure of password hashes can lead to offline cracking attempts, potentially resulting in unauthorized administrative access and full compromise of the affected web platform. This can lead to data breaches, defacement, or use of the compromised site as a pivot point for further attacks within the organization’s network. Organizations in sectors with sensitive data such as finance, healthcare, and government are particularly at risk. The requirement for read access to the user management section means that insider threats or attackers who have gained limited access could escalate privileges. Given the widespread use of Grav in small to medium enterprises and agencies across Europe, the vulnerability could impact many organizations if not promptly addressed. The medium CVSS score indicates a moderate but actionable risk, especially in environments where access controls are weak or where password hashes are not salted or hashed with strong algorithms.

European organizations should immediately upgrade all Grav installations to version 1.8.0-beta.27 or later to remediate this vulnerability. Until upgrading is possible, restrict read access to the user account management section of the admin panel to only trusted administrators. Implement strong access control policies and audit user permissions regularly to ensure no unauthorized users have read privileges in sensitive areas. Use strong, salted, and computationally expensive hashing algorithms for storing passwords to reduce the risk of successful cracking. Monitor logs for unusual access patterns to the admin panel and user management sections. Employ multi-factor authentication (MFA) for admin panel access to reduce the risk of credential compromise. Conduct regular security assessments and penetration tests focusing on access controls and credential management. Finally, educate staff about the risks of privilege escalation and the importance of safeguarding admin panel credentials.