CVE-2025-50286

High CVSS 8.1

Overview

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.

CWE: CWE-434 Published: 2025-08-06T15:15:32.297

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 8.1 (HIGH)
Detected tags: rce (tag impact: VERY HIGH)

Recommended actions:

Patch/upgrade immediately (remote code execution).
Reduce exposure (WAF/segmentation), minimize attack surface.

Overview

Recommended tools

Tags