CVE-2026-42608
Published: 11 May 2026
Summary
CVE-2026-42608 is a critical-severity Path Traversal (CWE-22) vulnerability in Getgrav Grav. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web platform (CWE-22) directly enables unauthenticated exploitation of the application to write arbitrary files and modify behavior.
NVD Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary…
more
directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)