{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/gravcms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav (versions \u003c 2.0.0-beta.2)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-write","gravcms"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eGrav CMS versions prior to 2.0.0-beta.2 are susceptible to an unauthenticated path traversal vulnerability in the FormFlash component. This flaw allows unauthenticated attackers to manipulate the \u003ccode\u003e__form-flash-id\u003c/code\u003e parameter in POST requests, injecting path traversal sequences to create arbitrary directories and write malicious \u003ccode\u003eindex.yaml\u003c/code\u003e files. This vulnerability stems from a lack of sanitization of the \u003ccode\u003esession_id\u003c/code\u003e parameter within the FormFlash class. Successful exploitation can lead to configuration injection, data integrity issues, cross-user data interference, and potential denial-of-service conditions through inode exhaustion. The vulnerability was confirmed in Grav v1.7.49.5 and the development branch as of March 2026, and is addressed in commit \u003ccode\u003ed904efc33\u003c/code\u003e on the 2.0 branch, which will ship in version 2.0.0-beta.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Grav CMS page containing a form (e.g., \u003ccode\u003e/contact\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the POST request generated during form submission.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003e__form-flash-id\u003c/code\u003e parameter in the POST request to include a path traversal sequence (e.g., \u003ccode\u003e../../user/config/poc_dir\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the modified POST request to the server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eFormFlash\u003c/code\u003e class processes the unsanitized \u003ccode\u003e__form-flash-id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application attempts to create a directory based on the traversed path using \u003ccode\u003elocator-\u0026gt;findResource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn arbitrary directory is created at the specified location (e.g., \u003ccode\u003e/var/www/html/user/config/poc_dir/poc/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn \u003ccode\u003eindex.yaml\u003c/code\u003e file is written to the newly created directory containing attacker-controlled data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to achieve several malicious outcomes. Attackers can inject malicious configurations by writing \u003ccode\u003eindex.yaml\u003c/code\u003e files into plugin/theme configuration directories, leading to altered application behavior and potential compromise. Cross-user data interference becomes possible, allowing attackers to overwrite temporary form data of other users. Data integrity is compromised through unauthorized modification of configuration subfolders, potentially leading to site corruption. Finally, attackers can trigger a denial-of-service condition by exhausting disk space or inodes through recursive directory creation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply a strict alphanumeric regex to the \u003ccode\u003esession_id\u003c/code\u003e in the \u003ccode\u003eFormFlash\u003c/code\u003e class to prevent path traversal, as implemented in Grav 2.0.0-beta.2 (commit \u003ccode\u003ed904efc33\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to form endpoints with \u003ccode\u003e__form-flash-id\u003c/code\u003e parameters containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eUpgrade to Grav CMS version 2.0.0-beta.2 or later, which includes the fix for CVE-2026-42608.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-grav-formflash-traversal/","summary":"Grav CMS is vulnerable to an unauthenticated path traversal vulnerability within the FormFlash component, allowing attackers to create arbitrary directories and write files, leading to configuration injection and potential denial of service; fixed in version 2.0.0-beta.2.","title":"Grav CMS FormFlash Unauthenticated Path Traversal and Arbitrary File Write","url":"https://feed.craftedsignal.io/briefs/2026-05-grav-formflash-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Gravcms","version":"https://jsonfeed.org/version/1.1"}