Arbitrary File Write Vulnerability in Grav's Form Plugin
CVE-2026-61873

7.2HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61873?

Grav versions prior to 9.1.8 are susceptible to an arbitrary file write vulnerability within the Form plugin. This flaw arises from insufficient validation of the 'process.save.filename' parameter, which is initially checked against path traversal patterns before being processed by Twig. However, the validation is not enforced after rendering the templates. Malicious actors can exploit this oversight by submitting crafted form data that includes path traversal sequences. Consequently, they could write arbitrary files, such as PHP webshells, to the web root or any sensitive directories, potentially leading to unauthorized access or further breaches.

Affected Version(s)

grav 0 < 9.1.8

grav 9.1.8

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
.