External risk intelligence

Admin attacker can take control of Grav CMS by uploading a malicious file

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-42607

An internal attacker with administrative access can exploit the Grav platform's installation tool to run malicious code on the server. This could allow them to take full control of the system and access sensitive site data.

3Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42607

This issue exists within the administrative backend of a web-based CMS. Accessing the plugin installation tool requires valid administrative credentials. While web administrative interfaces are often reachable from the internet in many deployments, they are restricted by authentication, which limits direct reachability compared to unauthenticated public-facing services.

Horizon Alert

Summary of the vulnerability and why it matters

An authenticated user with administrative privileges on the Grav platform can upload a crafted ZIP file to gain remote code execution. While Grav prevents direct uploads of malicious PHP files, it does not properly inspect the contents of ZIP archives, allowing the extraction and execution of arbitrary code. This issue is significant because it can lead to a complete compromise of the server.

Admin access needed.
Can lead to server takeover.
Affects Grav CMS.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges in Grav CMS could exploit this by uploading a malicious ZIP file disguised as a plugin through the "Direct Install" tool. The system's failure to properly scan the contents of the ZIP archive would allow a malicious PHP file to be extracted and executed, leading to Remote Code Execution.

Authenticated administrator access needed.
Uploading ZIP via Direct Install.
Targets Grav CMS prior to 2.0.0-beta.2.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows authenticated administrators to achieve RCE through a crafted ZIP file, bypassing intended .php upload restrictions. While this requires administrative access, which is a significant hurdle, the severity of RCE can make it an attractive target for sophisticated attackers seeking to compromise systems with existing privileged access. The lack of immediate public exploit or KEV listing suggests it is not yet widely weaponized, but this could change.

Authentication required for exploitation.
No public exploit observed.
Not KEV listed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize immediate containment for Grav instances running versions prior to 2.0.0-beta.2, especially if administrative access is suspected or confirmed. The critical RCE vulnerability via crafted ZIP uploads requires strict attention to prevent full system compromise.

Block all ZIP uploads to the "Direct Install" tool.
Upgrade Grav to version 2.0.0-beta.2 or later.
Monitor for unusual file creation or process execution.

Frequently asked questions

What is Grav CMS and how does it function?

Grav CMS is a file-based Content Management System (CMS) built on PHP, Symfony, and Twig templating. It uses flat files for content storage instead of a traditional database, making it fast, simple, and easy to set up. Grav is known for its flexibility and performance, with features like a built-in package manager for easy installation of plugins and themes.

What type of vulnerability does CVE-2026-42607 describe for Grav CMS?

CVE-2026-42607 is a critical Remote Code Execution (RCE) vulnerability in Grav CMS. It allows an authenticated administrator to execute arbitrary PHP code on the server by uploading a specially crafted ZIP file through the "Direct Install" tool. This bypasses the system's safeguards against direct .php file uploads by not inspecting the ZIP archive's contents.

How is CVE-2026-42607 exploited in Grav CMS?

An attacker with administrative privileges crafts a ZIP archive that mimics a Grav plugin or theme structure. This archive contains a malicious PHP file. When uploaded via the "Direct Install" tool in Grav's Admin plugin, the system extracts the malicious code, which then executes with the web server's permissions, leading to RCE.

What is the significance of CVE-2026-42607 for systems using Grav CMS?

This vulnerability is significant because it allows for full server compromise, including the ability to drop a persistent web shell. While it requires administrative access, which is a barrier, a successful exploit can grant an attacker complete control over the Grav installation and the underlying host. This makes it a target for sophisticated attackers who gain administrative credentials through other means, like session hijacking.

How can Grav CMS be protected against CVE-2026-42607?

To mitigate CVE-2026-42607, it is crucial to upgrade Grav CMS to version 2.0.0-beta.2 or later, which contains the fix. Additionally, administrators should enforce strong password policies, enable multi-factor authentication, and audit administrator accounts. Regularly reviewing installed plugins and themes for unexpected files is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.