Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload. Sensitive information may be contained in the configuration details.
Create a simple form with two fields, 'registration-number' and 'hp'. Add a submit button and set the method to POST(screenshot attached below). Form name set to 'hero-form'. Send a POST request with the following payload and you will notice a response with a php array listing the whole Grav configuration details - including plugins(screenshot attached).
registration-number:d643aaaa
hp:vJyifp
form-name:hero-form
unique_form_id:{{var_dump(_context|slice(0,7))}}
Server-Side Template (SST) vulnerability. The vulnerability affects the latest Grav version as of 25th of Match 2025 (1.7.48) with all plugins installed (including forms plugin v.7.4.2) to their latest versions as well.
| Score | Percentile |
|---|---|
| 0.08% | 22.93% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.7 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-8535-hvm8-2hmv ↗ |
| CVE | CVE-2025-66298 ↗ |
| CWE id | Name |
|---|---|
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | getgrav/grav | < 1.8.0-beta.27 | 1.8.0-beta.27 | — |