CVE-2025-50286

Name of the Vulnerable Software and Affected Versions: Grav CMS versions 1.7.48

Description: A Remote Code Execution (RCE) issue exists in Grav CMS version 1.7.48. An authenticated administrator can upload a malicious plugin through the /admin/tools/direct-install API endpoint. Upon upload, the plugin is automatically extracted and loaded, enabling arbitrary PHP code execution and potential reverse shell access. The /admin/tools/direct-install endpoint accepts plugin uploads, and the plugin variable is involved in the process.

Recommendations: Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /admin/tools/direct-install endpoint.