CVE-2026-42845

216.73.217.22

· Published 11/05/2026 17:16 · Modified 12/05/2026 14:51

Labels: CVE-2026-42845 2026-05-11 CVE-2026-42845 CWE-73 [email protected]

Essential information

Published: 11/05/2026 17:16
Modified: 12/05/2026 14:51
Author: —
Creator: —
CVSS: 7.7 HIGH (v3) 7.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions (`md`, `yaml`, `yml`, `json`, `twig`, `ini`) regardless of the configurable dangerous-extensions list. A permissive `accept` policy combined with the default `destination: self@` could otherwise let an attacker overwrite the page's own `.md` and pivot to super-admin via a `process: save` action. This vulnerability is fixed in 9.1.0.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
grav / form plugin	`cpe:2.3:a:grav:form_plugin:<9.1.0:::::::*`