CVE-2025-50286

HIGH

Grav CMS 1.7.48 - Authenticated Remote Code Execution via Plugin Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-50286. PoCs published by /bin/neko, binneko, x1o3, including Metasploit module exploits/multi/http/grav_admin_direct_install_rce_cve_2025_50286.

AI-analyzed exploit summary This exploit demonstrates an authenticated RCE vulnerability in Grav CMS 1.7.48 via the Direct Install feature, allowing an admin to upload a malicious plugin containing arbitrary PHP code. The PoC includes steps to achieve a reverse shell.

Description

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.

Exploits (4)

exploitdb WORKING POC
by /bin/neko · textwebappsphp
https://www.exploit-db.com/exploits/52402

This exploit demonstrates an authenticated RCE vulnerability in Grav CMS 1.7.48 via the Direct Install feature, allowing an admin to upload a malicious plugin containing arbitrary PHP code. The PoC includes steps to achieve a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Grav CMS v1.7.48 / Admin Plugin v1.10.48
Auth required
Prerequisites: Admin credentials · Access to the admin panel · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by binneko · poc
https://github.com/binneko/CVE-2025-50286

This repository contains a functional exploit for CVE-2025-50286, demonstrating an authenticated RCE vulnerability in Grav CMS v1.7.48 with Admin Plugin v1.10.48 via malicious plugin upload. The PoC includes a malicious plugin that executes arbitrary commands via shell_exec($_GET['cmd']).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Grav CMS v1.7.48 / Admin Plugin v1.10.48
Auth required
Prerequisites: Administrator access to Grav CMS Admin Panel
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by x1o3 · poc
https://github.com/x1o3/CVE-2025-50286

This repository contains a functional Metasploit module for CVE-2025-50286, which exploits an authenticated RCE vulnerability in Grav CMS via the Admin panel's Direct Install plugin functionality. The exploit uploads a crafted plugin archive containing arbitrary PHP code, leading to remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Grav CMS 1.7.x with Admin Plugin v1.10.x
Auth required
Prerequisites: Authenticated admin access to Grav CMS · Direct Install functionality enabled
devstral-2 · analyzed Mar 01, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by binneko, x1o3 · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/grav_admin_direct_install_rce_cve_2025_50286.rb

This Metasploit module exploits an authenticated RCE vulnerability in Grav CMS by uploading a malicious plugin via the Direct Install feature. It authenticates as an admin, crafts a plugin archive with embedded PHP payload, and triggers execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Grav CMS <=1.7.49.5 with Admin Plugin <=1.10.49.3
Auth required
Prerequisites: Admin credentials · Access to admin panel
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory
https://github.com/binneko/CVE-2025-50286

Scores

CVSS v3 8.1
EPSS 0.7313
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
getgrav/grav 1.7.48
Published Aug 06, 2025
Tracked Since Feb 18, 2026