CVE-2025-50286

HIGH

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access.

CVSS v3.1 Score

8.1
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
HIGH
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 8/6/2025Modified: 11/7/2025

Related Intelligence (1)

LOWApt

Metasploit Wrap-Up 04/03/2026

Additional Adapters and More Modules This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy an

CVE-2026-27636CVE-2026-28289
Rapid7

References (1)

https://github.com/binneko/CVE-2025-50286ExploitThird Party Advisory