Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.
Published: 2026-05-11
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated administrator of the Grav file‑based web platform can upload a specially crafted ZIP archive through the "Direct Install" interface. The system blocks direct PHP uploads but does not inspect the contents of ZIP files, allowing a malicious plugin to be extracted and executed. This leads to arbitrary PHP code execution or the placement of a persistent web shell, providing attackers with full control over the web server.

Affected Systems

The Grav content management system from getgrav is affected. All releases prior to 2.0.0‑beta.2 are vulnerable; versions 2.0.0‑beta.2 and newer contain the fix.

Risk and Exploitability

The vulnerability scores a CVSS of 9.1, indicating critical severity. EPSS data is not available, but case study availability in advisory links suggests it is being actively exploited. The vulnerability is not currently listed in the CISA KEV catalog. Because the exploit requires administrative authentication and the ability to use the Direct Install tool, the attack vector is credential‑based but trivial for compromised or privileged accounts. The high severity and the potential for total server compromise make this a top‑priority issue.

Generated by OpenCVE AI on May 11, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Grav 2.0.0‑beta.2 update or later to eliminate the vulnerability.
  • Disable the Direct Install feature or restrict it to trusted users until a patch is applied.
  • Audit the site for unexpected plugin files or code that may have been introduced via the exploit and remove them.

Generated by OpenCVE AI on May 11, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w48r-jppp-rcfw Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.
Title Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:46:49.864Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42607

cve-icon Vulnrichment

Updated: 2026-05-12T13:46:40.242Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:32.720

Modified: 2026-05-12T14:51:21.830

Link: CVE-2026-42607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:39Z

Weaknesses