CVE-2025-50286
Published: 06 August 2025
Summary
CVE-2025-50286 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Getgrav Grav. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits user-installed software, directly preventing authenticated admins from uploading and installing malicious plugins via the direct-install interface.
Validates information inputs to the plugin upload interface, blocking malicious payloads before extraction and execution.
Deploys malicious code protection mechanisms to scan and block uploaded plugins containing arbitrary PHP code or reverse shells.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing web application (T1190), uploading malicious plugin ZIP for tool transfer (T1105), and automatic deployment/execution of web shell via PHP code for execution (T1100) and persistence (T1505.003).
NVD Description
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell…
more
access.
Deeper analysisAI
CVE-2025-50286 is a Remote Code Execution (RCE) vulnerability affecting Grav CMS version 1.7.48. The flaw resides in the /admin/tools/direct-install interface, which permits an authenticated administrator to upload a malicious plugin. Upon upload, the plugin is automatically extracted and loaded, enabling arbitrary PHP code execution. The vulnerability is associated with CWE-434 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H).
An authenticated administrator can exploit this vulnerability remotely by crafting and uploading a malicious plugin through the affected interface. Successful exploitation leads to arbitrary PHP code execution on the server, potentially granting reverse shell access and full control over the Grav CMS instance.
Advisories and additional details are available in the referenced GitHub repository at https://github.com/binneko/CVE-2025-50286.
Details
- CWE(s)