CVE-2026-42607
Received Received - Intake
Remote Code Execution in Grav CMS via Malicious ZIP Upload

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 2.0.0-beta.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-42607 is a critical Remote Code Execution vulnerability that allows an authenticated administrator to execute arbitrary code on the server by uploading a malicious ZIP file. This can lead to full server compromise.

Such a compromise can result in unauthorized access, modification, or exfiltration of sensitive data, which may include personal or protected health information depending on the deployment context.

Therefore, this vulnerability poses a significant risk to compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring system integrity.

Organizations using vulnerable versions of Grav CMS should upgrade to the patched version and restrict plugin installations to trusted sources to mitigate these compliance risks.

Executive Summary

CVE-2026-42607 is a critical Remote Code Execution (RCE) vulnerability in the Grav CMS platform versions prior to 2.0.0-beta.2. It allows an authenticated user with administrative privileges to upload a specially crafted ZIP file through the "Direct Install" tool. Although the system blocks direct uploads of .php files, it fails to inspect the contents of ZIP archives properly.

When the malicious ZIP file is uploaded, its contents are extracted directly into the /user/plugins/ or /user/themes/ directories without validating the files inside or preventing path traversal attacks. This enables an attacker to deploy a malicious plugin that can execute arbitrary PHP code or install a persistent web shell on the server.

The vulnerability is fixed in version 2.0.0-beta.2 by adding validation to ZIP entries to prevent path traversal, but it does not fully address malicious plugin code within the archive.

Impact Analysis

This vulnerability can lead to a full server compromise if exploited by an attacker with administrative access. By uploading a crafted ZIP file, the attacker can execute arbitrary PHP code remotely, potentially gaining control over the web server.

The attacker can install persistent web shells, allowing ongoing unauthorized access, data theft, or further attacks on the system. This can result in loss of confidentiality, integrity, and availability of the affected system.

Because the vulnerability requires administrative privileges, the risk is limited to users who already have high-level access, but the impact remains critical due to the ability to execute code remotely.

Detection Guidance

This vulnerability involves an authenticated administrator uploading a malicious ZIP file through the /admin/tools/direct-install endpoint. Detection can focus on monitoring for unusual or unauthorized uploads to this endpoint.

You can check web server logs for POST requests to /admin/tools/direct-install, especially those containing ZIP files.

  • Use command-line tools like grep to search for such requests in access logs, for example: grep "/admin/tools/direct-install" /var/log/apache2/access.log
  • Inspect extracted plugin directories under /user/plugins/ or /user/themes/ for recently added or modified files that may contain PHP web shells.
  • Use file integrity monitoring tools or commands like find to locate recently changed PHP files: find /path/to/grav/user/plugins/ -type f -name "*.php" -mtime -7

Since the vulnerability requires administrative authentication, reviewing admin user activity and access logs can also help detect suspicious behavior.

Mitigation Strategies

The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where the vulnerability is fixed.

Until the upgrade is applied, restrict administrative access to trusted users only and avoid using the Direct Install tool to upload plugins.

  • Disable or restrict access to the /admin/tools/direct-install endpoint to prevent uploading of ZIP files.
  • Only install plugins from trusted sources and verify their integrity before installation.

Regularly audit the /user/plugins/ and /user/themes/ directories for unauthorized or suspicious files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart