CVE-2026-42607
Remote Code Execution in Grav CMS via Malicious ZIP Upload
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42607 is a critical Remote Code Execution (RCE) vulnerability in the Grav CMS platform versions prior to 2.0.0-beta.2. It allows an authenticated user with administrative privileges to upload a specially crafted ZIP file through the "Direct Install" tool. Although the system blocks direct uploads of .php files, it fails to inspect the contents of ZIP archives properly.
When the malicious ZIP file is uploaded, its contents are extracted directly into the /user/plugins/ or /user/themes/ directories without validating the files inside or preventing path traversal attacks. This enables an attacker to deploy a malicious plugin that can execute arbitrary PHP code or install a persistent web shell on the server.
The vulnerability is fixed in version 2.0.0-beta.2 by adding validation to ZIP entries to prevent path traversal, but it does not fully address malicious plugin code within the archive.
How can this vulnerability impact me? :
This vulnerability can lead to a full server compromise if exploited by an attacker with administrative access. By uploading a crafted ZIP file, the attacker can execute arbitrary PHP code remotely, potentially gaining control over the web server.
The attacker can install persistent web shells, allowing ongoing unauthorized access, data theft, or further attacks on the system. This can result in loss of confidentiality, integrity, and availability of the affected system.
Because the vulnerability requires administrative privileges, the risk is limited to users who already have high-level access, but the impact remains critical due to the ability to execute code remotely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an authenticated administrator uploading a malicious ZIP file through the /admin/tools/direct-install endpoint. Detection can focus on monitoring for unusual or unauthorized uploads to this endpoint.
You can check web server logs for POST requests to /admin/tools/direct-install, especially those containing ZIP files.
- Use command-line tools like grep to search for such requests in access logs, for example: grep "/admin/tools/direct-install" /var/log/apache2/access.log
- Inspect extracted plugin directories under /user/plugins/ or /user/themes/ for recently added or modified files that may contain PHP web shells.
- Use file integrity monitoring tools or commands like find to locate recently changed PHP files: find /path/to/grav/user/plugins/ -type f -name "*.php" -mtime -7
Since the vulnerability requires administrative authentication, reviewing admin user activity and access logs can also help detect suspicious behavior.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where the vulnerability is fixed.
Until the upgrade is applied, restrict administrative access to trusted users only and avoid using the Direct Install tool to upload plugins.
- Disable or restrict access to the /admin/tools/direct-install endpoint to prevent uploading of ZIP files.
- Only install plugins from trusted sources and verify their integrity before installation.
Regularly audit the /user/plugins/ and /user/themes/ directories for unauthorized or suspicious files.