Grav Form Plugin Vulnerability Unsafe Upload Enables Site Breach

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42845 with a CVSS score of 7.7 is a vulnerability in the Grav Form Plugin that allows an unauthenticated attacker to overwrite the content of a Grav page by uploading a malicious Markdown file with a filename matching the page’s content file, such as “form.md”. The attacker can achieve this by uploading arbitrary content through a form with an “accept: [*]” policy, bypassing filename validation. Once the form is submitted, the uploaded file overwrites the page’s “.md” file, enabling manipulation of the page’s YAML frontmatter and Markdown content. This allows control over the page configuration and may lead to arbitrary code execution. If exploited, the vulnerability can result in full site compromise, including unauthorized access, data exposure, and severe business impact. The attacker requires no prerequisites or specific conditions to exploit this vulnerability.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We recommend you to update getgrav/grav-plugin-form to version 9.1.3 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-w4rc-p66m-x6qq

[/emaillocker]

Recent Advisories

PraisonAI Vulnerability Enables Unauthenticated RCE

May 7, 2026

python-multipart has Denial of Service via unbounded multipart part headers

May 7, 2026

JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content

May 7, 2026

rmcp Vulnerability Introduces HTTP Transport Communication Gain Abuse

May 7, 2026

Grav Form Plugin Vulnerability Unsafe Upload Enables Site Breach

Recent Advisories

Report an Incident