CVE Catalog

CVE-2026-42607

Critical
Published: Translated: NVD NIST

Summary

Grav is a file-based web platform. Prior to version 2.0.0-beta.2, an authenticated user with administrative privileges could achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the 'Direct Install' tool.

Risk Assessment

The organization is at risk of remote code execution, which could lead to server takeover and data leakage.

Recommendation

It is recommended to upgrade to version 2.0.0-beta.2 or later to mitigate this vulnerability.

Original NVD description (English source)

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS