CVE-2026-42607
CriticalSummary
Grav is a file-based web platform. Prior to version 2.0.0-beta.2, an authenticated user with administrative privileges could achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the 'Direct Install' tool.
Risk Assessment
The organization is at risk of remote code execution, which could lead to server takeover and data leakage.
Recommendation
It is recommended to upgrade to version 2.0.0-beta.2 or later to mitigate this vulnerability.
Original NVD description (English source)
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

