CVE-2026-42845

Name of the Vulnerable Software and Affected Versions Grav form plugin versions prior to 9.1.0

Description An unauthenticated page-content overwrite exists via file upload. The file upload handler in user/plugins/form/classes/Form.php uses a filename parameter that can be controlled via POST requests. Because the Utils::checkFilename() function only blocks a limited set of extensions, files with extensions such as .md are permitted. When a form is configured with a permissive accept policy and the default destination: self@ setting, an attacker can upload a malicious markdown file to overwrite the page's own content file. This can be leveraged to pivot to super-admin privileges by utilizing a process: save action.

Recommendations Update the form plugin to version 9.1.0. As a temporary workaround, restrict the accept policy of file upload fields to exclude text-based extensions or avoid using the destination: self@ configuration.