Cyber Resilience

CVE-2026-42608

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42608 is a high-severity Path Traversal (CWE-22) vulnerability in Getgrav Grav. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary…

more

directories and write an index.yaml file containing attacker-controlled data. This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments. This vulnerability is fixed in 2.0.0-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in public-facing web platform (CWE-22) directly enables unauthenticated exploitation of the application to write arbitrary files and modify behavior.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46199Same product: Getgrav Grav
CVE-2025-66295Same product: Getgrav Grav
CVE-2021-47812Same product: Getgrav Grav
CVE-2025-46198Same product: Getgrav Grav
CVE-2026-42611Same product: Getgrav Grav
CVE-2025-66294Same product: Getgrav Grav
CVE-2026-42612Same product: Getgrav Grav
CVE-2026-29924Same product: Getgrav Grav
CVE-2025-66299Same product: Getgrav Grav
CVE-2025-50286Same product: Getgrav Grav

Affected Assets

getgrav
grav
2.0.0 · ≤ 2.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References