CVE-2026-42608

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description A path traversal issue exists within the FormFlash core component. An unauthenticated attacker can manipulate the session id (passed via the form-flash-id parameter in POST requests) to traverse the filesystem. This allows the creation of arbitrary directories and the writing of an index.yaml file containing attacker-controlled data. This can lead to unauthorized modification of application behavior, data integrity issues, and service disruption. The issue resides in the construct() and getTmpDir() functions of the GravFrameworkFormFormFlash class, where a lack of sanitization on the session id allows the use of ../ sequences to escape into writable directories such as user/config/, cache/, logs/, and tmp/.

Recommendations Update to version 2.0.0-beta.2. As a temporary workaround, restrict write permissions for the webserver on sensitive directories like user/config/ to prevent the creation of new subdirectories.