Arbitrary File Write Vulnerability in Grav's Form Plugin
CVE-2026-61873
7.2HIGH
What is CVE-2026-61873?
Grav versions prior to 9.1.8 are susceptible to an arbitrary file write vulnerability within the Form plugin. This flaw arises from insufficient validation of the 'process.save.filename' parameter, which is initially checked against path traversal patterns before being processed by Twig. However, the validation is not enforced after rendering the templates. Malicious actors can exploit this oversight by submitting crafted form data that includes path traversal sequences. Consequently, they could write arbitrary files, such as PHP webshells, to the web root or any sensitive directories, potentially leading to unauthorized access or further breaches.
Affected Version(s)
grav 0 < 9.1.8
grav 9.1.8
