CVE-2026-42608 | THREATINT

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.

PUBLISHED Reserved 2026-04-29 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 2.0.0-beta.2

affected

References

github.com/...v/grav/security/advisories/GHSA-hmcx-ch82-3fv2 exploit

github.com/...v/grav/security/advisories/GHSA-hmcx-ch82-3fv2

cve.org (CVE-2026-42608)

nvd.nist.gov (CVE-2026-42608)

Download JSON