Grav ihas Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
Description
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getgrav/gravPackagist | < 1.8.0-beta.27 | 1.8.0-beta.27 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v8x2-fjv7-8hjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66301ghsaADVISORY
- github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.