CVE-2026-42845: Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload filename Override

May 6, 2026 (updated May 13, 2026)

(Tested on Form 9.0.3 released on April, 28th)

The Form plugin’s file upload handler at user/plugins/form/classes/Form.php:583 accepts a POST-supplied filename parameter ($filename = $post['filename'] ?? $upload['file']['name']) that overrides the original uploaded filename. The override passes through Utils::checkFilename(), which blocks only a narrow extension list (.php*, .htm*, .js, .exe). Markdown (.md) is not blocked.

A page’s directory under user/pages/ contains its .md content file (e.g. default.md, form.md). When a form’s file upload field has accept: ['*'] (or any policy that admits text files), an unauthenticated visitor can:

Upload arbitrary content with filename=form.md (or other page-content filenames),
Submit the form to trigger Form::copyFiles(), which overwrites the page’s own .md file.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-42845 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →