Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
Published: 2026-05-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the FormFlash component of the Grav web platform. By manipulating the session_id value, passed as __form-flash-id in POST requests, an attacker can traverse the filesystem and create arbitrary directories, writing a crafted index.yaml file. This file write capability permits modification of application configuration or injection of malicious data, potentially compromising data integrity, altering application behavior, and causing service disruption in production environments.

Affected Systems

Any Grav installation running a version prior to 2.0.0-beta.2 is affected. The vulnerability is present in the getgrav:grav product. Versions 2.0.0-beta.2 and later contain a fix.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. The flaw can be exploited by an unauthenticated attacker through normal web interactions, specifically by sending crafted POST requests to the FormFlash endpoint. Because the attacker does not require authentication, the attack surface is high, and any exposed Grav instance could be immediately compromised.

Generated by OpenCVE AI on May 11, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grav to version 2.0.0-beta.2 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, disable or remove the FormFlash component or plugin from the Grav installation to eliminate the attack vector.
  • Block or sanitize the __form-flash-id parameter at the web server or application level to prevent traversal attempts, ensuring that only legitimate session identifiers are accepted.

Generated by OpenCVE AI on May 11, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hmcx-ch82-3fv2 Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component
History

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
Title Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T16:07:54.454Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42608

cve-icon Vulnrichment

Updated: 2026-05-11T16:07:19.935Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:33.207

Modified: 2026-05-11T17:16:33.557

Link: CVE-2026-42608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:40Z

Weaknesses