CVE Catalog

CVE-2026-42608

Critical
Published: Translated: NVD NIST

Summary

Grav is a file-based web platform. Prior to version 2.0.0-beta.2, there was a Path Traversal vulnerability in the FormFlash core component, allowing unauthenticated attackers to manipulate the filesystem.

Risk Assessment

This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.

Recommendation

It is recommended to upgrade to version 2.0.0-beta.2 to mitigate this vulnerability.

Original NVD description (English source)

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS