CVE-2026-42608
Received Received - Intake
Path Traversal in Grav CMS via FormFlash Session ID

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42608
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 2.0.0-beta.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform path traversal and arbitrary file write attacks, leading to unauthorized modification of application behavior and potential data integrity issues.

Such unauthorized changes and data integrity problems can result in breaches of confidentiality, integrity, and availability of data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Specifically, the ability to write malicious configuration files and disrupt service could lead to exposure or alteration of sensitive personal or health information, thereby impacting compliance with these regulations.

Executive Summary

CVE-2026-42608 is a zero-day vulnerability in Grav CMS versions below 2.0.0-beta.2 that allows unauthenticated attackers to perform path traversal and arbitrary file write attacks via the FormFlash component.

By manipulating the `__form-flash-id` parameter in POST requests, attackers can traverse directories and create arbitrary files, such as writing a malicious `index.yaml` file into sensitive directories like `user/config/`.

This vulnerability arises because the session_id parameter is not properly sanitized, allowing attackers to inject path traversal sequences.

Impact Analysis

This vulnerability can lead to unauthorized configuration changes and modification of application behavior.

It can cause data integrity issues and session isolation breaches.

Additionally, attackers may cause denial-of-service conditions through disk exhaustion by creating many files or directories.

Overall, it can disrupt production environments and compromise the security and stability of the Grav CMS installation.

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the Grav CMS application that include the parameter `__form-flash-id`. Suspicious or unusual values in this parameter that contain path traversal sequences (such as ../) may indicate exploitation attempts.

Network detection can involve inspecting HTTP POST traffic for the `__form-flash-id` parameter with directory traversal patterns.

On the system, detection can include searching for unexpected or recently created `index.yaml` files in directories such as `user/config/` or other sensitive locations.

  • Use command-line tools like grep to find suspicious POST requests in web server logs, e.g.:
  • grep -i '__form-flash-id=.*\.\./' /var/log/apache2/access.log
  • Find recently modified or created index.yaml files in Grav directories:
  • find /path/to/grav/user/config/ -name index.yaml -mtime -7 -ls
Mitigation Strategies

The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where the vulnerability is patched by sanitizing the `session_id` parameter to prevent path traversal.

If upgrading immediately is not possible, consider implementing web application firewall (WAF) rules to block POST requests containing suspicious `__form-flash-id` values with directory traversal patterns.

Additionally, monitor and restrict write permissions on sensitive directories to limit the ability of an attacker to create or modify files.

Regularly audit your Grav CMS installation for unexpected files such as malicious `index.yaml` files and remove them if found.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart