Compliance Impact

The vulnerability in the Grav Form plugin allows unauthenticated attackers to overwrite page content files and potentially escalate privileges to super-admin. This unauthorized access and modification of content could lead to unauthorized disclosure or alteration of sensitive data.

Such unauthorized access and data manipulation could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and access controls.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory requirements.

Useful 0 Not Useful 0

Executive Summary

The CVE-2026-42845 vulnerability affects the Grav CMS Form plugin versions prior to 9.1.0. It allows unauthenticated attackers to overwrite existing page content files by exploiting a file upload feature. The issue arises because the plugin accepts a POST-supplied filename parameter without properly stripping path components, enabling attackers to upload files that overwrite critical page content files such as .md files.

Additionally, the plugin had a permissive accept policy and a default destination setting that could let attackers overwrite page content files and then escalate privileges to super-admin via a process save action. The vulnerability is fixed in version 9.1.0 by stripping path components from filenames and hard-blocking dangerous file extensions like .md, .yaml, .yml, .json, .twig, and .ini during uploads.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an unauthenticated attacker to overwrite existing page content files on a Grav CMS site, potentially replacing legitimate content with malicious content.

By overwriting page content files such as .md files, an attacker could manipulate the website's content or inject malicious instructions.

More critically, the attacker could escalate privileges to super-admin by exploiting the overwritten content combined with a process save action, leading to full control over the site.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the Grav Form plugin version is prior to 9.1.0, as those versions are vulnerable to unauthenticated page-content overwrite via file upload.

Since the vulnerability exploits file uploads that allow overwriting page content files (e.g., .md files), monitoring for unexpected or unauthorized file changes in the Grav pages directory can help detect exploitation attempts.

Suggested commands to detect potential exploitation include:

• Check the installed Grav Form plugin version: `bin/gpm index | grep form` or inspect the plugin version in the admin panel or composer.json.
• Monitor recent changes to page content files (e.g., .md files) by checking file modification times: `find user/pages/ -type f -name '*.md' -mtime -7` to find files modified in the last 7 days.
• Review web server logs for suspicious POST requests to form upload endpoints that include unusual filenames or path traversal attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Grav Form plugin to version 9.1.0 or later, where the vulnerability is fixed.

The fix includes stripping path components from POST-supplied filenames and hard-blocking dangerous page-content file extensions such as .md, .yaml, .yml, .json, .twig, and .ini during file uploads.

Until the upgrade can be applied, consider restricting file upload capabilities or disabling the form plugin if not needed.

Additionally, review and tighten the file upload accept policies and destination settings to prevent overwriting critical page content files.

Useful 0 Not Useful 0