High severityNVD Advisory· Published Mar 21, 2024· Updated Apr 10, 2025

Grav File Upload Path Traversal vulnerability

CVE-2024-27921

Description

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
getgrav/gravPackagist	< 1.7.45	1.7.45

Affected products

Getgrav/Gravv5
Range: < 1.7.45

Patches

5928411b86ba

fixed path traversal by santize checking fiilename

https://github.com/getgrav/gravAndy MillerMar 4, 2024via ghsa

commit

2 files changed · +3 −0

CHANGELOG.md+1 −0 modified

@@ -6,6 +6,7 @@
 1. [](#bugfix)
    * Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732)
    * Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394)
+   * Fixed a path traversal vulnerability with file uploads [GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc)
 
 # v1.7.44
 ## 01/05/2024

system/src/Grav/Common/Utils.php+2 −0 modified

@@ -989,6 +989,8 @@ public static function checkFilename($filename): bool
             || strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename
             // Filename should not start or end with dot or space.
             || trim($filename, '. ') !== $filename
+            // Filename should not contain path traversal
+            || str_replace('..', '', $filename) !== $filename
             // File extension should not be part of configured dangerous extensions
             || in_array($extension, $dangerous_extensions)
         );

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m7hx-hw6h-mqmcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-27921ghsaADVISORY
github.com/getgrav/grav/commit/5928411b86bab05afca2b33db4e7386a44858e99ghsax_refsource_MISCWEB
github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmcghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.007
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000