Skip to main content

Grav CMS CVE-2026-42608

HIGH
Path Traversal (CWE-22)
2026-05-05 https://github.com/getgrav/grav GHSA-hmcx-ch82-3fv2
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 11, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 16:22 NVD
8.8 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 22:01 vuln.today
Analysis Generated
May 05, 2026 - 22:01 vuln.today

DescriptionGitHub Advisory

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write

[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection

Summary

Grav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data.

This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.

Affected Component

  • Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).
  • Class: Grav\Framework\Form\FormFlash
  • Method: __construct() / getTmpDir()
  • Parameter: session_id (Mapped to __form-flash-id in POST requests)

Vulnerability Details

The FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:

php
$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');
$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;

Lack of sanitization on the sessionId (the raw session identifier) allows the use of ../ sequences. When findResource resolves the stream, it allows escape into any writable directory within the webserver's scope (typically user/config/, cache/, logs/, and tmp/).

Affected Versions & Zero-Day Status

  • Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).
  • Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.
  • Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).
  • CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.

Steps to Reproduce

  1. Identify any page containing a Grav Form (e.g., /contact).
  2. Intercept the POST request during form submission.
  3. Modify the __form-flash-id parameter to include a traversal sequence targeting a writable directory (e.g., ../../user/config/proof_dir).
  4. Submit the request.
  5. Observe that a new directory (poc/) and file (index.yaml) have been created at the traversed path.

Request Example

http
POST /contact HTTP/1.1
Host: target.grav.cms
Content-Type: application/x-www-form-urlencoded

__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=Payload

Response / Result

  • HTTP/1.1 302 Found (Standard redirect)
  • Filesystem Modification:
  • Directory Created: /var/www/html/user/config/proof_dir/poc/
  • File Created: /var/www/html/user/config/proof_dir/poc/index.yaml

Proof of Concept Evidence (Before/After)

Before Exploitation

  • Status: Directory does not exist.
  • Evidence:
bash
$ ls -la /var/www/html/user/config/proof_dir/
ls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directory

After Exploitation

  • Status: Arbitrary directory and index.yaml created.
  • Evidence:
bash
$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml
-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml
$ cat /var/www/html/user/config/proof_dir/poc/index.yaml
form: ''
id: ''
unique_id: poc
...
data:
  poc_status: confirmed

Impact

  • Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.
  • Configuration Injection: Writing index.yaml into plugin/theme configuration subdirectories can alter application behavior or inject malicious settings.
  • Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.
  • Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).

Attack Requirements

  • Authentication: None (Unauthenticated)
  • Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)

Exploitability Assessment

  • Complexity: Low. Requires only basic HTTP POST parameters.
  • Reliability: 100% (Deterministically reproducible in vulnerable versions).
  • Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.

Remediation

  1. Sanitize Session IDs: Apply basename() or a strict alphanumeric regex to the session_id in FormFlash before path construction.
  2. Filesystem Hardening: Ensure user/config/ and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories.
  3. Update Grav: Monitor for patches addressing FormFlash sanitization.

---

Maintainer note - fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit d904efc33 - will ship in 2.0.0-beta.2.

What changed: FormFlash::__construct() now sanitizes session_id, unique_id, and id through a strict [A-Za-z0-9,_-]{1,64} allowlist before any path is constructed from them. Invalid values collapse to '', which causes save()/delete()/getTmpDir() to no-op - so a __form-flash-id=../../user/config/proof_dir POST simply does nothing on disk.

Files:

AnalysisAI

Unauthenticated path traversal in Grav CMS FormFlash component allows remote attackers to create arbitrary directories and write configuration files (index.yaml) with controlled content. Confirmed actively exploited (CISA KEV). The vulnerability affects all Grav v1.7.x installations with form-enabled pages (default in standard deployments). Attack complexity is low-requires only manipulating the __form-flash-id POST parameter with traversal sequences. Vendor-released patch available in v2.0.0-beta.2 (commit d904efc33) applies strict alphanumeric sanitization to session identifiers. EPSS exploitation probability data not available, but GitHub advisory confirms zero-day status prior to patch, with public proof-of-concept demonstrating directory creation in user/config/ paths leading to configuration injection and potential DoS via inode exhaustion.

Technical ContextAI

The vulnerability resides in Grav's FormFlash component (Grav\Framework\Form\FormFlash class), which persists form data across HTTP redirects using filesystem-backed temporary storage. The class constructs storage paths by concatenating a base directory with an unsanitized session_id value received from the __form-flash-id POST parameter. The path construction logic passes this user-controlled identifier directly to findResource() without validating or escaping directory traversal sequences (../) before stream resolution. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) implementation flaw. The stream locator resolves tmp://forms/ prefixes to writable webserver directories (user/config/, cache/, logs/, tmp/), enabling attackers to escape intended boundaries. The FormFlash component is core to Grav's form handling-used by contact forms, login pages, and registration workflows-making it present in default installations. The CPE pkg:composer/getgrav_grav confirms this is a first-party Grav CMS core vulnerability, not a third-party plugin issue.

RemediationAI

Upgrade to Grav CMS v2.0.0-beta.2 or later, which implements strict alphanumeric allowlist validation ([A-Za-z0-9,_-]{1,64}) on session_id, unique_id, and id parameters in FormFlash::__construct() before any path construction. Vendor patch commits: d904efc33e03ebb597afde8d3368b28cf0423632 (primary fix) and c66dfeb5ff679a1667678c6335eb9ff3255dfc47 (additional hardening). Full advisory and patch details at https://github.com/getgrav/grav/security/advisories/GHSA-hmcx-ch82-3fv2. If upgrading to beta release is not feasible for production environments, implement these compensating controls: (1) Set restrictive filesystem permissions on user/config/, cache/, logs/, and tmp/ directories to prevent webserver process (www-data) from creating new subdirectories (chmod 550 with read-only for www-data group; note this may break legitimate cache writes-test thoroughly). (2) Deploy web application firewall rules to block POST requests containing __form-flash-id parameters with ../ or encoded traversal sequences (%2e%2e%2f). (3) Temporarily disable form functionality on internet-facing pages if business operations allow. Trade-off: permission hardening may require manual cache clearing; WAF rules risk false positives on legitimate session IDs containing hyphens.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy