CVE-2026-42845 Overview
CVE-2026-42845 affects the Grav form plugin, which adds form creation and handling capabilities to the Grav flat-file content management system (CMS). Versions prior to 9.1.0 contain an unauthenticated page-content overwrite flaw exploitable through the public file upload handler. An attacker can submit a crafted filename parameter in a multipart POST request to traverse outside the intended upload destination and overwrite the page's own .md source file. Combined with a process: save action and a permissive accept policy, the attacker can pivot to super-admin access. The issue is tracked under GHSA-w4rc-p66m-x6qq and is classified as [CWE-73] External Control of File Name or Path.
Critical Impact
Unauthenticated attackers can overwrite arbitrary page-content files on a vulnerable Grav site and escalate to super-admin privileges.
Affected Products
- Grav CMS form plugin versions prior to 9.1.0
- Grav sites with publicly reachable forms accepting file uploads
- Configurations using the default destination: self@ upload target
Discovery Timeline
- 2026-05-11 - CVE-2026-42845 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42845
Vulnerability Analysis
The Grav form plugin exposes a public upload endpoint that processes multipart form submissions. The handler in classes/Form.php accepted the client-supplied filename POST field verbatim without stripping path components. When the form's destination was set to self@, uploads landed alongside the page's own Markdown source. A request containing a filename such as item.md could therefore overwrite the page file itself.
Grav pages can declare frontmatter that defines forms, including a process: block. By rewriting a page to include a process: save action targeting an admin-controlled file, an unauthenticated attacker can plant credentials or modify the super-admin account on the next form submission. The flaw chains a path component injection with Grav's flat-file storage model to escalate from file upload to administrative takeover.
Root Cause
The upload handler trusted the POST-supplied filename value and only enforced a configurable dangerous-extensions blocklist. Page-content extensions such as md, yaml, yml, json, twig, and ini were not unconditionally blocked, and the filename was not normalized to strip directory traversal sequences or path separators.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker submits a multipart POST request to a Grav page containing a form configured with a permissive accept rule and the default destination: self@. The filename parameter targets the page's .md file, replacing its contents with attacker-controlled frontmatter and body.
$grav->fireEvent('onFormUploadSettings', new Event(['settings' => &$settings, 'post' => $post]));
$upload = json_decode(json_encode($this->normalizeFiles($_FILES['data'], $settings->name)), true);
- $filename = $post['filename'] ?? $upload['file']['name'];
+ // Strip any path component from the POST-supplied filename. The admin
+ // controllers already do this; the public form path historically did
+ // not, which let an attacker collide the upload with files outside
+ // the intended destination.
+ $filename = Utils::basename((string) ($post['filename'] ?? $upload['file']['name']));
$field = $upload['field'];
// Handle errors and breaks without proceeding further
Source: getgrav/grav-plugin-form commit 48bacc4. The patch wraps the filename in Utils::basename() to strip directory components and adds an unconditional block on page-content extensions.
Detection Methods for CVE-2026-42845
Indicators of Compromise
- POST requests to Grav form endpoints containing a filename field with path separators (/, \) or page-content extensions (.md, .yaml, .yml, .json, .twig, .ini).
- Unexpected modifications to .md files under the Grav user/pages/ directory, particularly outside admin sessions.
- New or altered process: save blocks in page frontmatter referencing administrative file paths.
- Creation or modification of user/accounts/*.yaml files following form upload activity.
Detection Strategies
- Inspect web server access logs for multipart uploads where the filename value contains .., slashes, or restricted extensions.
- Enable file integrity monitoring on the Grav user/pages/ and user/accounts/ directories to flag unauthorized writes.
- Audit Grav page frontmatter for unexpected form: and process: directives introduced after the deployment window.
Monitoring Recommendations
- Log all form submissions handled by the plugin and retain the raw filename parameter for forensic review.
- Alert on any modification of files matching *.md, *.yaml, or *.twig under content directories outside of CI/CD or admin workflows.
- Track new super-admin accounts or password hash changes in Grav's accounts/ store.
How to Mitigate CVE-2026-42845
Immediate Actions Required
- Upgrade the Grav form plugin to version 9.1.0 or later on all instances.
- Audit existing forms for permissive accept rules and the use of destination: self@.
- Review user/pages/ and user/accounts/ for recent unauthorized modifications.
- Rotate Grav admin credentials if signs of page-content overwrite are present.
Patch Information
The fix is delivered in Grav form plugin 9.1.0. Commit 48bacc4187e1cff815000e526d5ca2878484867f calls Utils::basename() on the POST-supplied filename and hard-blocks page-content extensions (md, yaml, yml, json, twig, ini) regardless of the configurable dangerous-extensions list. Refer to GHSA-w4rc-p66m-x6qq for the advisory details.
Workarounds
- Replace destination: self@ with a dedicated upload directory outside user/pages/ until the plugin can be updated.
- Restrict the form accept policy to specific MIME types and extensions required by the use case.
- Place upload-handling forms behind authentication or a web application firewall (WAF) rule that rejects filename values containing path separators or page-content extensions.
# Update Grav form plugin via the bin/gpm utility
cd /path/to/grav
bin/gpm update form
bin/gpm version form # verify 9.1.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
