CVE-2026-42608
Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
| CWE | CWE-22 |
| Vendor | getgrav |
| Product | grav |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for getgrav grav
Be the first to know when new unknown vulnerabilities affecting getgrav grav are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
getgrav / grav
< 2.0.0-beta.2