CVE-2026-59193
Received Received - Intake

Authenticated Admin ZIP Archive Crash in Grav CMS

Vulnerability report for CVE-2026-59193, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 2.0.0, an authenticated admin.super user can crash Grav or fill the disk by uploading a specially crafted ZIP archive through the Direct Install tool because Installer::unZip calls ZipArchive::extractTo without limits on uncompressed size, entry count, or directory depth. This issue is fixed in version 2.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.0 (exc)
getgrav grav to 2.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated admin.super user to upload a specially crafted ZIP archive that can cause denial of service or disk exhaustion on the Grav CMS server. Such an attack could lead to system downtime or data unavailability.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the potential for denial of service and disk exhaustion could indirectly impact compliance by affecting data availability and system reliability, which are important aspects of these regulations.

However, there is no direct information provided about how this vulnerability impacts specific regulatory requirements or compliance frameworks.

Executive Summary

CVE-2026-59193 is a vulnerability in the Grav CMS Installer::unZip() function that affects versions prior to 2.0.0. An authenticated admin.super user can upload a specially crafted ZIP archive through the Direct Install tool which can cause denial of service or disk exhaustion.

The root cause is that the unZip function calls ZipArchive::extractTo() without validating the archive's uncompressed size, number of entries, or directory depth. This allows attacks such as Zip Bombs, stack overflows, and disk or inode exhaustion by uploading malicious ZIP files with thousands of nested directories or highly compressed data.

Additionally, the cleanup process fails to handle deep directory nesting properly, leaving extracted files on disk and exacerbating resource exhaustion.

Impact Analysis

This vulnerability can lead to a denial of service condition by crashing the Grav CMS or filling the server's disk space and exhausting inodes.

An attacker with admin.super privileges can exploit this by uploading malicious ZIP files that cause the system to run out of disk space or crash due to stack overflow during cleanup.

This can result in service downtime, loss of availability, and potential disruption of normal operations.

Detection Guidance

This vulnerability involves an authenticated admin.super user uploading a specially crafted ZIP archive through the Direct Install tool to exploit the Installer::unZip() function. Detection involves monitoring for unusual ZIP archive uploads with characteristics such as extremely large uncompressed size, excessive file count, or deep directory nesting.

Since the vulnerability is exploited via ZIP files uploaded by an admin.super user, you can detect potential exploitation attempts by auditing upload logs for ZIP files with unusually large sizes or many entries.

There are no specific commands provided in the resources, but general detection steps could include:

  • Review Grav CMS Direct Install tool logs for ZIP upload events by admin.super users.
  • Check for unusually large ZIP files or ZIP files with thousands of entries or deep directory structures.
  • Monitor disk usage and inode consumption for sudden spikes that may indicate ZIP bomb extraction.
  • Use file system commands such as 'du -sh' and 'find' to identify large or deeply nested directories created recently in the Grav installation directories.
  • Example commands to investigate suspicious extracted files:
  • - `du -sh /path/to/grav/user/data/tmp/*` to check size of extracted directories.
  • - `find /path/to/grav/user/data/tmp/ -type d -depth +48` to find directories deeper than the fixed limit.
Mitigation Strategies

The primary mitigation is to upgrade Grav CMS to version 2.0.0 or later, where this vulnerability is fixed.

The fix includes enforcing limits on ZIP archive extraction such as maximum uncompressed size (1 GiB), maximum file count (50,000), and maximum directory depth (48). These limits prevent ZIP bomb attacks and disk exhaustion.

If upgrading immediately is not possible, consider restricting or disabling the Direct Install tool for admin.super users to prevent uploading untrusted ZIP archives.

Monitor disk space and inode usage closely to detect and respond to any suspicious activity.

Review and clean up any leftover extracted files from previous exploitation attempts, especially deeply nested directories that the cleanup process may have failed to remove.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59193. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart