CVE-2026-42607

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description An authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. The system fails to inspect the contents of uploaded ZIP archives, allowing a malicious plugin to be extracted and execute arbitrary PHP code or drop a persistent web shell on the server. The issue exists in the handling of the directInstall task within the Admin plugin and the Grav Package Manager (GPM) core, specifically within the Installer::install() function. The vulnerable endpoint is '/admin/tools/direct-install'.

Recommendations Update to version 2.0.0-beta.2. As a temporary workaround, restrict access to the '/admin/tools/direct-install' endpoint to only highly trusted administrators and avoid installing plugins from untrusted sources.