CVE-2025-66298

Description

### Summary Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details. ### PoC Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached). registration-number:d643aaaa hp:vJyifp __form-name__:hero-form __unique_form_id__:{{var_dump(_context|slice(0,7))}} ![Screenshot 2025-03-25 at 7 26 02 AM](https://github.com/user-attachments/assets/b92b099b-c07a-4ea2-a3f9-47361ceb9355) ![Screenshot 2025-03-25 at 7 22 58 AM](https://github.com/user-attachments/assets/d9146fd3-5887-4bf8-87d9-78f43ade91c8) ### Impact Server-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.

How to fix CVE-2025-66298

To remediate CVE-2025-66298, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0-beta.27 or later

Is CVE-2025-66298 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.8.0-beta.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P