CVE-2025-50286

Published Aug 6, 2025

Last updated 6 months ago

CVSS high 8.1

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-50286 describes a Remote Code Execution (RCE) vulnerability found in Grav CMS version 1.7.48. This flaw enables an authenticated administrator to upload a malicious plugin through the `/admin/tools/direct-install` interface. Upon successful upload, the system automatically extracts and loads the malicious plugin. This process allows for the execution of arbitrary PHP code and can grant an attacker reverse shell access to the affected system.

Description
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.
Source
cve@mitre.org
NVD status
Analyzed
Products
grav

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-434

Social media

Hype score
Not currently trending

  1. Metasploit Framework is here with 5 new modules! Exploits for FreeScout (CVE-2026-28289) and Grav CMS (CVE-2025-50286) RCEs, plus a generic HTTP command execution module and a new Windows persistence technique. We also have a slew of bug fixes and enhancements including SOCKS

    @metasploit

    3 Apr 2026

    4401 Impressions

    10 Retweets

    35 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

  2. 📡 Strategic Insight: Metasploit Wrap-Up 04/03/2026 📅 Context: Rapid7 released Metasploit Framework 6.4.125 on 2026-04-03; adds five new modules including FreeScout unauthenticated RCE, Grav CMS plugin-upload RCE (CVE-2025-50286), generic multi/http/os_cmd_exec, Windows

    @syedaquib77

    3 Apr 2026

    172 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-50286 Remote Code Execution in Grav CMS v1.7.48 via Authenticated Plugin Upload https://t.co/iRPCaajRz1

    @VulmonFeeds

    6 Aug 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-50286 A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interfa… https://t.co/KNEcR3ldv9

    @CVEnew

    6 Aug 2025

    259 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.CVE-2026-42844
  2. Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.CVE-2026-44738
  3. Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The public attribute() media method can be reached this way, allowing an editor to set an arbitrary HTML attribute name and value on the generated image element. This vulnerability is fixed in 2.0.0-beta.2.CVE-2026-42841
  4. Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss() function when handling unquoted HTML event attributes. This vulnerability is fixed in 2.0.0-beta.2.CVE-2026-42612
  5. Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.CVE-2026-42611

References

Sources include official advisories and independent security research.