Back to overview

CVE-2026-61873

HIGH
8.1
CVSS 3.1
Description
Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that are processed through Twig templates, allowing them to write arbitrary files including PHP webshells to the web root or other sensitive directories.

Metadata

CVE ID
CVE-2026-61873
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-10 21:54 UTC
Published
2026-07-15 11:25 UTC
Last updated
2026-07-15 11:47 UTC
Primary CWE
CWE-73
External Control of File Name or Path
Vendor / Product
getgrav / grav
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
getgrav grav 0 < 9.1.8, 9.1.8
Weakness (CWE)
CWESourceDescription
CWE-73 cna External Control of File Name or Path
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
7.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References (2)
Back to overview