Skip to content
Threat Feed
high advisory

Grav Form Plugin Arbitrary File Write Vulnerability (CVE-2026-61873)

Grav before version 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, allowing attackers to bypass path traversal validation via Twig template processing and write PHP webshells for remote code execution.

A critical arbitrary file write vulnerability, tracked as CVE-2026-61873, affects Grav content management system versions prior to 9.1.8, specifically within the Form plugin. This flaw stems from improper re-validation of the process.save.filename parameter after Twig template processing. While initial path traversal sequences in form data are validated, the rendering through Twig templates allows attackers to reintroduce or re-evaluate these sequences, effectively bypassing the security control. This enables malicious actors to write arbitrary files, including PHP webshells, to sensitive directories like the web root. Successful exploitation can lead to full compromise of the affected web server, unauthorized data access, and remote code execution. This vulnerability presents a severe risk for organizations using vulnerable Grav installations.

Attack Chain

  1. An attacker identifies a Grav CMS instance running the Form plugin version prior to 9.1.8.
  2. The attacker crafts malicious form data, embedding path traversal sequences (e.g., ../ or ..\) within the process.save.filename parameter. The goal is to write a PHP webshell.
  3. The crafted form data is then sent via an HTTP POST request to a vulnerable endpoint handled by the Grav Form plugin.
  4. The Form plugin performs an initial validation of the process.save.filename parameter, which might appear to mitigate path traversal.
  5. However, the filename is subsequently processed through Twig templates, which re-evaluates the path traversal sequences, effectively bypassing the earlier validation.
  6. The arbitrary file write vulnerability is triggered, allowing the attacker to write the PHP webshell file to an unintended and sensitive location, such as the web root.
  7. The attacker accesses the newly deployed webshell via a direct HTTP request to its URL.
  8. Through the webshell, the attacker can execute arbitrary commands on the compromised web server, achieving remote code execution and potentially escalating privileges or exfiltrating data.

Impact

Successful exploitation of CVE-2026-61873 leads to an arbitrary file write on the compromised web server. Attackers can leverage this to upload and execute PHP webshells, resulting in full remote code execution. The direct consequences include unauthorized access to the underlying operating system, data theft from the Grav CMS database or other system files, defacement of the website, and the potential for the compromised server to be used as a pivot point for further attacks into the internal network. Organizations in any sector using Grav CMS are at risk, with the severity of impact depending on the sensitivity of data stored on the server and its network connectivity.

Recommendation

  • Patch CVE-2026-61873 immediately by updating Grav CMS to version 9.1.8 or later.
  • Deploy the Sigma rule "Detect Grav Form Plugin CVE-2026-61873 Path Traversal Attempt" to your SIEM and monitor webserver logs for exploitation attempts.
  • Review web server access logs for requests containing the process.save.filename parameter with path traversal sequences in cs-uri-query that might indicate an attempted exploitation.

Detection coverage 1

Detect Grav Form Plugin CVE-2026-61873 Path Traversal Attempt

high

Detects CVE-2026-61873 exploitation attempts by identifying path traversal sequences within the 'process.save.filename' parameter in webserver query strings, targeting Grav CMS Form plugin.

sigma tactics: execution, initial_access techniques: T1190, T1505.003 sources: webserver

Detection queries are available on the platform. Get full rules →