CVE-2026-42608

CRITICAL

Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.

Title source: cna

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2

Scores

CVSS v3 9.1

EPSS 0.0052

EPSS Percentile 39.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (4)

getgrav/grav 2.0.0 beta1

getgrav/grav < 2.0.0

getgrav/grav 0 - 2.0.0-beta.2Packagist

getgrav/grav < 2.0.0-beta.2

Published May 11, 2026

Tracked Since May 11, 2026