External risk intelligence

Grav could allow malicious administrators to execute server code and gain system control.

The Grav web platform could allow a malicious administrator to execute code and gain full server control, potentially exposing sensitive files or disrupting operational systems and service availability. We recommend your team applies the latest vendor update to resolve this risk.

NVD published May 11, 2026 (4 days ago)

External risk briefCRITICAL

CVE-2026-42607

Halo Surface Signal

2/ 5

This vulnerability requires an authenticated administrative session to exploit. While the application is a web platform, the specific functionality is not exposed to the public internet by default, typically sitting behind administrative access controls and internal environment restrictions.

Exposure facts

CVSS

9.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.23%

H – Horizon Alert

A security flaw has been identified in the Grav web platform that could allow an authenticated user with administrative privileges to gain unauthorized control over the server. By uploading a specially crafted file through the "Direct Install" feature, an individual can bypass system checks to execute malicious code or establish persistent access. This represents a significant risk, as it allows for potential manipulation of the web server environment by an internal user with elevated rights.

A – Asset Exposure

This issue affects the Grav web platform, specifically the "Direct Install" tool utilized by administrative users. Because exploitation requires an authenticated administrative account, the risk is generally contained to users within your organization or accounts that have already been compromised, rather than direct public-internet exposure. If this control is misused, an actor could gain full server control, potentially allowing access to sensitive files or the deployment of persistent malicious software. Such an impact could compromise the integrity of your operational systems and service availability.

L – Live Threat

The available context for this issue does not indicate active exploitation or observed targeting in the wild at this time. While the vulnerability allows an administrative user to execute unauthorized code, there are currently no reports of public exploit availability or widespread abuse. Consequently, the immediate risk remains localized to instances where administrative access is already compromised, with no current signals suggesting elevated real-world threat activity.

O – Operational Fix

Please prioritize applying the latest security update provided by the vendor for your Grav platform to resolve this risk. We recommend coordinating with your technical team to ensure that the necessary patches are implemented in accordance with the vendor's guidance. Validating that your system is fully updated will ensure your environment remains secure.