Universe1122

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 1.7.43 **Description** The issue arises due to insufficient permission validation and inadequate file name validation, allowing users who can write a page to use the `frontmatter` feature. This can lead to remote code execution. The `frontmatter` feature serves as a metadata block for providing additional information about a page or post. Regular users can exploit this by adding the `data[ json][header][form]` parameter to the POST Body while creating a page. Additionally, inadequate file name validation in the Contact Form feature can allow the creation of files such as PHP files on the server, potentially leading to remote code execution. **Recommendations** For versions prior to 1.7.43, update to version 1.7.43 or later to fix the issue. As a temporary workaround, consider disabling the `frontmatter` feature and restricting access to the Contact Form feature until a patch is available. Avoid using the `filename` attribute in the Contact Form feature to minimize the risk of exploitation.