Vulnerability in Getgrav Grav-plugin-form

CVE-2026-42845

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now strip path components from the POST-suppl…

EPSS: 0.000 (4.8th percentile) — read the EPSS interpretation.

Affected products

Getgrav Grav-plugin-form — versions < 9.1.0

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)