CVE-2026-42607

CRITICAL

Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42607. PoCs published by Mustafa Murat Akgül.

AI-analyzed exploit summary The exploit leverages a Zip Slip vulnerability in Grav CMS's Direct Install feature to achieve RCE by uploading a malicious plugin that drops a web shell. The payload hooks into Grav's event system to execute arbitrary PHP code upon plugin initialization.

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

Exploits (1)

exploitdb WORKING POC

by Mustafa Murat Akgül · pythonwebappsphp

https://www.exploit-db.com/exploits/52578

View Code ZIP pw:eip

The exploit leverages a Zip Slip vulnerability in Grav CMS's Direct Install feature to achieve RCE by uploading a malicious plugin that drops a web shell. The payload hooks into Grav's event system to execute arbitrary PHP code upon plugin initialization.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS < 2.0.0-beta.2 (Admin Plugin Enabled)

Auth required

Prerequisites: Administrative access to Grav Admin panel · Direct Install feature enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 27, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw

X_Refsource_Misc x_refsource_misc

https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0046

EPSS Percentile 64.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

getgrav/grav 0 - 2.0.0-beta.2Packagist

getgrav/grav < 2.0.0-beta.2

Published May 11, 2026

Tracked Since May 11, 2026