What the vulnerability does
01Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal.
This issue affects Gravity Forms: from n/a through 2.10.0.1.
Explanation of Vulnerability in Simple Terms
02Summary
Gravity Forms versions up to 2.10.0.1 contain a path traversal vulnerability that allows an attacker to read or write arbitrary files on the server. The vulnerability requires user interaction—typically a victim must click a malicious link or visit a crafted page. Successful exploitation grants access to sensitive files and can lead to site compromise.
What an attacker can do
03Attacker Capabilities
Read or write arbitrary files on the server, potentially exposing sensitive data or injecting malicious code.
Potential impact on your site
04Site Impact
Attackers can access configuration files, database credentials, or inject code to take over the site.
Conditions required to exploit
05Prerequisites
User interaction required (victim must click a link or visit a page); no authentication needed.
Key dates
06Disclosure timeline
June 1, 2026
CVE published
June 1, 2026
Record updated