{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav--9.1.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-61873"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav (\u003c 9.1.8)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-write","rce","web-vulnerability","grav","cms","path-traversal"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA critical arbitrary file write vulnerability, tracked as CVE-2026-61873, affects Grav content management system versions prior to 9.1.8, specifically within the Form plugin. This flaw stems from improper re-validation of the \u003ccode\u003eprocess.save.filename\u003c/code\u003e parameter after Twig template processing. While initial path traversal sequences in form data are validated, the rendering through Twig templates allows attackers to reintroduce or re-evaluate these sequences, effectively bypassing the security control. This enables malicious actors to write arbitrary files, including PHP webshells, to sensitive directories like the web root. Successful exploitation can lead to full compromise of the affected web server, unauthorized data access, and remote code execution. This vulnerability presents a severe risk for organizations using vulnerable Grav installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Grav CMS instance running the Form plugin version prior to 9.1.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious form data, embedding path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e or \u003ccode\u003e..\\\u003c/code\u003e) within the \u003ccode\u003eprocess.save.filename\u003c/code\u003e parameter. The goal is to write a PHP webshell.\u003c/li\u003e\n\u003cli\u003eThe crafted form data is then sent via an HTTP POST request to a vulnerable endpoint handled by the Grav Form plugin.\u003c/li\u003e\n\u003cli\u003eThe Form plugin performs an initial validation of the \u003ccode\u003eprocess.save.filename\u003c/code\u003e parameter, which might appear to mitigate path traversal.\u003c/li\u003e\n\u003cli\u003eHowever, the filename is subsequently processed through Twig templates, which re-evaluates the path traversal sequences, effectively bypassing the earlier validation.\u003c/li\u003e\n\u003cli\u003eThe arbitrary file write vulnerability is triggered, allowing the attacker to write the PHP webshell file to an unintended and sensitive location, such as the web root.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the newly deployed webshell via a direct HTTP request to its URL.\u003c/li\u003e\n\u003cli\u003eThrough the webshell, the attacker can execute arbitrary commands on the compromised web server, achieving remote code execution and potentially escalating privileges or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61873 leads to an arbitrary file write on the compromised web server. Attackers can leverage this to upload and execute PHP webshells, resulting in full remote code execution. The direct consequences include unauthorized access to the underlying operating system, data theft from the Grav CMS database or other system files, defacement of the website, and the potential for the compromised server to be used as a pivot point for further attacks into the internal network. Organizations in any sector using Grav CMS are at risk, with the severity of impact depending on the sensitivity of data stored on the server and its network connectivity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61873 immediately by updating Grav CMS to version 9.1.8 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Grav Form Plugin CVE-2026-61873 Path Traversal Attempt\u0026quot; to your SIEM and monitor webserver logs for exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for requests containing the \u003ccode\u003eprocess.save.filename\u003c/code\u003e parameter with path traversal sequences in \u003ccode\u003ecs-uri-query\u003c/code\u003e that might indicate an attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:36:49Z","date_published":"2026-07-15T12:36:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61873-grav-arbitrary-file-write/","summary":"Grav before version 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, allowing attackers to bypass path traversal validation via Twig template processing and write PHP webshells for remote code execution.","title":"Grav Form Plugin Arbitrary File Write Vulnerability (CVE-2026-61873)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61873-grav-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav (\u003c 9.1.8)","version":"https://jsonfeed.org/version/1.1"}