CVE-2026-42607: Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

May 5, 2026

An authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the “Direct Install” tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server.

References

github.com/advisories/GHSA-w48r-jppp-rcfw
github.com/getgrav/grav
github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw
nvd.nist.gov/vuln/detail/CVE-2026-42607

Code Behaviors & Features

Detect and mitigate CVE-2026-42607 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →