CVE-2025-50286

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.
Configurations

No configuration.

History

07 Aug 2025, 05:15

Type Values Removed Values Added
References
  • {'url': 'http://grav.com', 'source': 'cve@mitre.org'}
  • {'url': 'https://github.com/binneko', 'source': 'cve@mitre.org'}

06 Aug 2025, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-08-06 15:15

Updated : 2025-08-07 05:15


NVD link : CVE-2025-50286

Mitre link : CVE-2025-50286

CVE.ORG link : CVE-2025-50286


JSON object : View

Products Affected

No product.

CWE
CWE-434

Unrestricted Upload of File with Dangerous Type