CVE-2026-42608
Path Traversal in Grav CMS via FormFlash Session ID
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42608 is a zero-day vulnerability in Grav CMS versions below 2.0.0-beta.2 that allows unauthenticated attackers to perform path traversal and arbitrary file write attacks via the FormFlash component.
By manipulating the `__form-flash-id` parameter in POST requests, attackers can traverse directories and create arbitrary files, such as writing a malicious `index.yaml` file into sensitive directories like `user/config/`.
This vulnerability arises because the session_id parameter is not properly sanitized, allowing attackers to inject path traversal sequences.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized configuration changes and modification of application behavior.
It can cause data integrity issues and session isolation breaches.
Additionally, attackers may cause denial-of-service conditions through disk exhaustion by creating many files or directories.
Overall, it can disrupt production environments and compromise the security and stability of the Grav CMS installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the Grav CMS application that include the parameter `__form-flash-id`. Suspicious or unusual values in this parameter that contain path traversal sequences (such as ../) may indicate exploitation attempts.
Network detection can involve inspecting HTTP POST traffic for the `__form-flash-id` parameter with directory traversal patterns.
On the system, detection can include searching for unexpected or recently created `index.yaml` files in directories such as `user/config/` or other sensitive locations.
- Use command-line tools like grep to find suspicious POST requests in web server logs, e.g.:
- grep -i '__form-flash-id=.*\.\./' /var/log/apache2/access.log
- Find recently modified or created index.yaml files in Grav directories:
- find /path/to/grav/user/config/ -name index.yaml -mtime -7 -ls
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where the vulnerability is patched by sanitizing the `session_id` parameter to prevent path traversal.
If upgrading immediately is not possible, consider implementing web application firewall (WAF) rules to block POST requests containing suspicious `__form-flash-id` values with directory traversal patterns.
Additionally, monitor and restrict write permissions on sensitive directories to limit the ability of an attacker to create or modify files.
Regularly audit your Grav CMS installation for unexpected files such as malicious `index.yaml` files and remove them if found.