Grav CMS CVE-2026-42608
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write
[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection
Summary
Grav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data.
This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.
Affected Component
- Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).
- Class:
Grav\Framework\Form\FormFlash - Method:
__construct()/getTmpDir() - Parameter:
session_id(Mapped to__form-flash-idin POST requests)
Vulnerability Details
The FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:
$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');
$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;Lack of sanitization on the sessionId (the raw session identifier) allows the use of ../ sequences. When findResource resolves the stream, it allows escape into any writable directory within the webserver's scope (typically user/config/, cache/, logs/, and tmp/).
Affected Versions & Zero-Day Status
- Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).
- Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.
- Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).
- CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.
Steps to Reproduce
- Identify any page containing a Grav Form (e.g.,
/contact). - Intercept the POST request during form submission.
- Modify the
__form-flash-idparameter to include a traversal sequence targeting a writable directory (e.g.,../../user/config/proof_dir). - Submit the request.
- Observe that a new directory (
poc/) and file (index.yaml) have been created at the traversed path.
Request Example
POST /contact HTTP/1.1
Host: target.grav.cms
Content-Type: application/x-www-form-urlencoded
__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=PayloadResponse / Result
- HTTP/1.1 302 Found (Standard redirect)
- Filesystem Modification:
- Directory Created:
/var/www/html/user/config/proof_dir/poc/ - File Created:
/var/www/html/user/config/proof_dir/poc/index.yaml
Proof of Concept Evidence (Before/After)
Before Exploitation
- Status: Directory does not exist.
- Evidence:
$ ls -la /var/www/html/user/config/proof_dir/
ls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directoryAfter Exploitation
- Status: Arbitrary directory and
index.yamlcreated. - Evidence:
$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml
-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml
$ cat /var/www/html/user/config/proof_dir/poc/index.yaml
form: ''
id: ''
unique_id: poc
...
data:
poc_status: confirmedImpact
- Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.
- Configuration Injection: Writing
index.yamlinto plugin/theme configuration subdirectories can alter application behavior or inject malicious settings. - Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.
- Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).
Attack Requirements
- Authentication: None (Unauthenticated)
- Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)
Exploitability Assessment
- Complexity: Low. Requires only basic HTTP POST parameters.
- Reliability: 100% (Deterministically reproducible in vulnerable versions).
- Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.
Remediation
- Sanitize Session IDs: Apply
basename()or a strict alphanumeric regex to thesession_idin FormFlash before path construction. - Filesystem Hardening: Ensure
user/config/and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories. - Update Grav: Monitor for patches addressing FormFlash sanitization.
---
Maintainer note - fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit d904efc33 - will ship in 2.0.0-beta.2.
What changed: FormFlash::__construct() now sanitizes session_id, unique_id, and id through a strict [A-Za-z0-9,_-]{1,64} allowlist before any path is constructed from them. Invalid values collapse to '', which causes save()/delete()/getTmpDir() to no-op - so a __form-flash-id=../../user/config/proof_dir POST simply does nothing on disk.
Files:
system/src/Grav/Framework/Form/FormFlash.phptests/unit/Grav/Common/Security/FormFlashSecurityTest.php- 32 test cases covering the PoC + variants.
AnalysisAI
Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.
Technical ContextAI
The vulnerability resides in Grav's FormFlash component (Grav\Framework\Form\FormFlash class), which persists form data across HTTP redirects using filesystem-backed temporary storage. The class constructs storage paths by concatenating a base directory with an unsanitized session_id value received from the __form-flash-id POST parameter. The path construction logic passes this user-controlled identifier directly to findResource() without validating or escaping directory traversal sequences (../) before stream resolution. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) implementation flaw. The stream locator resolves tmp://forms/ prefixes to writable webserver directories (user/config/, cache/, logs/, tmp/), enabling attackers to escape intended boundaries. The FormFlash component is core to Grav's form handling-used by contact forms, login pages, and registration workflows-making it present in default installations. The CPE pkg:composer/getgrav_grav confirms this is a first-party Grav CMS core vulnerability, not a third-party plugin issue.
RemediationAI
Upgrade to Grav CMS v2.0.0-beta.2 or later, which implements strict alphanumeric allowlist validation ([A-Za-z0-9,_-]{1,64}) on session_id, unique_id, and id parameters in FormFlash::__construct() before any path construction. Vendor patch commits: d904efc33e03ebb597afde8d3368b28cf0423632 (primary fix) and c66dfeb5ff679a1667678c6335eb9ff3255dfc47 (additional hardening). Full advisory and patch details at https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2. If upgrading to beta release is not feasible for production environments, implement these compensating controls: (1) Set restrictive filesystem permissions on user/config/, cache/, logs/, and tmp/ directories to prevent webserver process (www-data) from creating new subdirectories (chmod 550 with read-only for www-data group; note this may break legitimate cache writes-test thoroughly). (2) Deploy web application firewall rules to block POST requests containing __form-flash-id parameters with ../ or encoded traversal sequences (%2e%2e%2f). (3) Temporarily disable form functionality on internet-facing pages if business operations allow. Trade-off: permission hardening may require manual cache clearing; WAF rules risk false positives on legitimate session IDs containing hyphens.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hmcx-ch82-3fv2