Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that are processed through Twig templates, allowing them to write arbitrary files including PHP webshells to the web root or other sensitive directories.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-61873 exploits a validation gap in Grav's Form plugin where user-supplied filenames are sanitized against path traversal attacks before Twig template processing, but critically lack re-validation after rendering. This allows attackers to inject path traversal sequences (e.g., `../../../`) that remain dormant during initial validation, then expand during Twig template rendering to escape intended directories. The vulnerability enables arbitrary file writes—including PHP webshells—to web-accessible locations, giving attackers remote code execution. Organizations running Grav versions before 9.1.8 with the Form plugin enabled face immediate risk, particularly those allowing untrusted users to submit form data.
While CVE-2026-61873 doesn't map directly to MITRE ATT&CK techniques in public repositories, Casky.ai's extended reasoning capabilities would detect the attack patterns underlying this vulnerability by correlating multiple security skills across the 754 mapped techniques. Practitioners using Casky would identify indicators such as T1190 (Exploit Public-Facing Application) through detection of suspicious form submissions with encoded or obfuscated path traversal payloads, T1059 (Command Execution) signatures when PHP webshells are written to web roots, and T1036 (Masquerading) patterns in filenames designed to evade detection. The platform's Claude-powered analysis would surface the validation-gap attack pattern itself—a post-processing exploitation technique—allowing security teams to recognize similar double-validation flaws in other template-driven applications and implement layered file operation controls before Casky findings reach practitioner dashboards.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-61873. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation