Product
Grav before version 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, allowing attackers to bypass path traversal validation via Twig template processing and write PHP webshells for remote code execution.