CVE-2026-61873
Received Received - Intake

Arbitrary File Write in Grav CMS via Twig Template Processing

Vulnerability report for CVE-2026-61873, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that are processed through Twig templates, allowing them to write arbitrary files including PHP webshells to the web root or other sensitive directories.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grav form_plugin to 9.1.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a high-severity arbitrary file write vulnerability in Grav CMS versions before 9.1.8. It affects the Form plugin's process.save.filename parameter. The issue is a Time-of-Check Time-of-Use (TOCTOU) race condition where path traversal is validated before Twig processing but not after rendering. Attackers can exploit this to write arbitrary files, including PHP webshells, to sensitive directories by submitting malicious form data processed through Twig templates.

Impact Analysis

An attacker with editor privileges or API access could exploit this to write malicious files to your web server. This includes PHP webshells that allow remote code execution, overwriting plugin files to maintain persistence, or writing sensitive files like SSH keys. The attack requires minimal privileges and can be triggered by any form submission, making it highly dangerous for unpatched Grav installations.

Compliance Impact

This vulnerability could lead to data breaches, unauthorized access, or system compromise, which may violate GDPR's integrity and confidentiality requirements or HIPAA's security rules. Organizations using vulnerable Grav versions may face compliance violations, regulatory fines, or legal consequences if exploited.

Detection Guidance

Check Grav CMS version with: grep -r "version" /path/to/grav/system/version.yaml. If version <= 9.1.7, the system is vulnerable. Inspect Form plugin files for unusual filenames or recent PHP files in web root directories like /var/www/html/. Monitor for unexpected file writes in user/data/ and plugin directories.

Mitigation Strategies

Upgrade Grav CMS to version 9.1.8 or later immediately. Temporarily disable the Form plugin if not essential. Restrict file write permissions in web directories. Review recent file modifications in /user/data/ and web root for unauthorized files. Implement strict input validation for form submissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart