Overview CVE-2025-66299 is a high-severity Server-Side Template Injection (SSTI) vulnerability affecting Grav CMS, a file-based web platform. This vulnerability allows authenticated users with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. The vulnerability is present in versions prior to 1.8.0-beta.27. This advisory provides technical details, impact assessment, and mitigation steps for this critical security flaw. Technical Details The vulnerability lies in the insufficient protection of the Twig object within the Grav CMS security sandbox. By injecting maliciously crafted Twig template directives into a web page, an authenticated editor can interact with the Twig…

Overview CVE-2025-66298 describes a Server-Side Template (SST) vulnerability discovered in Grav, a file-based Web platform. Prior to version 1.8.0-beta.27, a simple form on a Grav site could be exploited to reveal the entire Grav configuration details, including sensitive plugin configurations. This was achieved by crafting a specific POST payload that triggered the SST vulnerability. This vulnerability has been patched in Grav version 1.8.0-beta.27. Published: 2025-12-01T22:15:49.103 Technical Details The vulnerability resides in how Grav processes form data within its templating engine. By manipulating the POST data submitted through a form, an attacker can inject malicious template code that, when processed by…

Overview CVE-2025-65622 describes a stored Cross-Site Scripting (XSS) vulnerability found in Snipe-IT, specifically affecting versions prior to 8.3.4. This vulnerability resides in the “Country” field within the Locations module. A low-privileged authenticated user can inject malicious JavaScript code that will be stored and executed in the context of other users’ sessions who access the same location data. Technical Details The vulnerability stems from insufficient input sanitization and output encoding of the “Country” field within the Locations section of Snipe-IT. A malicious user can inject JavaScript code into this field. When another user views or interacts with the affected location data,…

Overview CVE-2025-66297 describes a critical security vulnerability affecting Grav, a file-based Web platform. This flaw allows a user with admin panel access and permissions to create or edit pages to escalate their privileges to administrator and execute arbitrary system commands. The vulnerability stems from the ability to enable Twig processing within page frontmatter, leading to potential Remote Code Execution (RCE) and Privilege Escalation (PE). This vulnerability has been addressed in Grav version 1.8.0-beta.27. Technical Details The vulnerability lies in the insufficient sanitization of Twig expressions when enabled within the page frontmatter. An attacker with appropriate permissions can inject malicious Twig…

Overview CVE-2025-66296 is a high-severity privilege escalation vulnerability affecting Grav, a file-based Web platform. This flaw allows a user with limited user-manager permissions to gain full administrator access by creating a new account with the same username as an existing administrator. This bypasses expected username uniqueness validation. The vulnerability has been addressed in version 1.8.0-beta.27. Technical Details The vulnerability stems from the absence of proper username uniqueness validation within Grav’s Admin plugin when creating new users. An attacker with the permission to create users (“create user” permission, typically assigned to User Manager roles) can exploit this by: Creating a new…

Overview CVE-2025-66295 is a high-severity vulnerability affecting Grav CMS, a file-based Web platform. Specifically, it’s a path traversal flaw within the user creation process in the Admin UI. This vulnerability allows a malicious user with user creation privileges to manipulate the username field to write account YAML files to arbitrary locations outside the intended user/accounts/ directory. Technical Details The vulnerability stems from insufficient sanitization of the username field during user creation via the Admin UI. When a user with the appropriate privileges (i.e., the ability to create new users) submits a username containing path traversal sequences like ..\Nijat or ../Nijat,…

Overview CVE-2025-66294 describes a Server-Side Template Injection (SSTI) vulnerability found in Grav, a file-based web platform. This vulnerability affects Grav versions prior to 1.8.0-beta.27. Exploitation of this flaw allows authenticated attackers with editor permissions to execute arbitrary commands on the server. Under certain conditions, unauthenticated attackers might also be able to exploit this vulnerability. Technical Details The root cause of this vulnerability lies in the weak regex validation within the cleanDangerousTwig method of Grav. This method, intended to sanitize user input to prevent malicious Twig code injection, fails to adequately filter out potentially harmful constructs. Attackers can leverage this weakness…

Overview A path traversal vulnerability, identified as CVE-2025-66206, has been discovered in Frappe Framework versions prior to 15.86.0 and 14.99.2. This vulnerability allows attackers with knowledge of the server’s file paths to potentially retrieve sensitive files. This issue primarily affects deployments directly using Werkzeug/Gunicorn without a reverse proxy. Sites hosted on Frappe Cloud or behind reverse proxies like NGINX are generally unaffected. Technical Details The vulnerability stems from insufficient input validation and sanitization when handling file path requests. By manipulating the request parameters, an attacker can traverse the directory structure and access files outside of the intended scope. Specifically, the…

Overview CVE-2025-66205 details a high-severity SQL injection vulnerability discovered in the Frappe framework, a full-stack web application framework commonly used for building applications like ERPNext. This flaw, present in versions prior to 15.86.0 and 14.99.2, could allow attackers to inject malicious SQL code into specific endpoints due to insufficient parameter validation. Successful exploitation could lead to information disclosure, including retrieving version information. Technical Details The vulnerability resides in a specific endpoint within the Frappe framework where user-supplied parameters are not properly validated before being used in SQL queries. An attacker could craft a malicious request containing SQL code within these…

Overview A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PublicCMS version V5.202506.b, specifically affecting the CkEditorAdminController. This vulnerability is tracked as CVE-2025-65840. CSRF vulnerabilities allow attackers to trick authenticated users into performing actions they did not intend to perform, potentially leading to unauthorized modifications or data breaches within the PublicCMS system. Technical Details The vulnerability resides within the CkEditorAdminController of PublicCMS. Due to the lack of sufficient CSRF protection, an attacker can craft a malicious web page that, when visited by an authenticated user, will trigger unintended actions within the PublicCMS application. This might involve modifying CMS settings,…