We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2025-66844

CVE-2025-66844

PHP

Severity: CRITICAL
CVSS: 9.1CVSS
Published: 2025-12-15
Last modified: 2025-12-17
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918

Description

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered

References

https://github.com/Yohane-Mashiro/grav_cve/issues/2

Summary

Description

References