Description
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions (`md`, `yaml`, `yml`, `json`, `twig`, `ini`) regardless of the configurable dangerous-extensions list. A permissive `accept` policy combined with the default `destination: self@` could otherwise let an attacker overwrite the page's own `.md` and pivot to super-admin via a `process: save` action. This vulnerability is fixed in 9.1.0.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an unauthenticated attacker to overwrite the content of any page by uploading a file whose name is later used to replace the page’s markdown (or other supported page‑content) file. It is a classic path‑traversal and file‑overwrite flaw classified as CWE‑73. An attacker who can cause the form plugin to process a "process: save" action could alter a page to insert malicious content or to pivot to a super‑admin role. The impact is high confidentiality and integrity loss for the entire content repository, and potentially availability if critical pages are corrupted.

Affected Systems

This issue affects the Grav CMS form plugin (getgrav:grav-plugin-form) on all deployments running versions older than 9.1.0. The fix is included in 9.1.0 and later releases.

Risk and Exploitability

The CVSS score of 7.7 indicates a high risk class vulnerability. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit it via a public form upload, requiring no authentication and minimal configuration—only a permissive accept policy and a default destination of "self@". If such a configuration exists, the vulnerability can be triggered simply by posting a file with an overridable name. Due to these conditions the fault has a high likelihood of exploitation in the wild if the vulnerable plugin is installed.

Generated by OpenCVE AI on May 11, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade grav-plugin-form to version 9.1.0 or later.
  • If an upgrade is not immediately possible, restrict the form's accept policy and destination settings to prevent writing to page‑content files; disallow the "process: save" action for unauthenticated submissions.
  • Apply the official patch from commit 48bacc4187e1cff815000e526d5ca2878484867f to eliminate the filename override logic that enables the overwrite.

Generated by OpenCVE AI on May 11, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w4rc-p66m-x6qq Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav-plugin-form
Vendors & Products Getgrav
Getgrav grav-plugin-form

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions (`md`, `yaml`, `yml`, `json`, `twig`, `ini`) regardless of the configurable dangerous-extensions list. A permissive `accept` policy combined with the default `destination: self@` could otherwise let an attacker overwrite the page's own `.md` and pivot to super-admin via a `process: save` action. This vulnerability is fixed in 9.1.0.
Title Grav: Anonymous Page Content Overwrite via Form File Upload filename Override
Weaknesses CWE-73
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Getgrav Grav-plugin-form
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:49:49.704Z

Reserved: 2026-04-30T16:44:48.377Z

Link: CVE-2026-42845

cve-icon Vulnrichment

Updated: 2026-05-12T13:49:33.409Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T17:16:34.157

Modified: 2026-05-12T14:51:21.830

Link: CVE-2026-42845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:05Z

Weaknesses