Input validation error in Grav CMS - CVE-2026-42607
Published: May 5, 2026
Vulnerability identifier: #VU130073
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-42607
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Grav CMS
Affected software:
Grav CMS
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in the directInstall task in the Admin plugin and Grav Package Manager when processing uploaded ZIP archives. A remote privileged user can upload a specially crafted ZIP file to execute arbitrary code.
The issue affects the /admin/tools/direct-install endpoint and requires the Admin plugin to be enabled.
How to mitigate CVE-2026-42607
Install security update from vendor's website.