NIXPKGS-2026-1521

GitHub issue published on

Permalink CVE-2026-42607

9.1 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 3 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
4 hours ago
@LeSuisse accepted 4 hours ago
@LeSuisse published on GitHub 3 hours ago

Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives. Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server. This vulnerability is fixed in 2.0.0-beta.2.

References

https://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw x_refsource_CONFIRM
https://github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663 x_refsource_MISC

Affected products

grav

==< 2.0.0-beta.2

Matching in nixpkgs

pkgs.grav

Fast, simple, and flexible, file-based web platform

nixos-unstable 1.7.50.3
- nixpkgs-unstable 1.7.50.3
- nixos-unstable-small 1.7.50.3
nixos-25.11 1.7.50.3
- nixos-25.11-small 1.7.50.3
- nixpkgs-25.11-darwin 1.7.50.3

Ignored packages (20)

pkgs.gravit

Beautiful OpenGL-based gravity simulator

nixos-unstable 0.5.1
- nixpkgs-unstable 0.5.1
- nixos-unstable-small 0.5.1
nixos-25.11 0.5.1
- nixos-25.11-small 0.5.1
- nixpkgs-25.11-darwin 0.5.1

pkgs.antigravity

Agentic development platform, evolving the IDE into the agent-first era

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.antigravity-fhs

Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications

nixos-unstable 1.23.2
- nixpkgs-unstable 1.23.2
- nixos-unstable-small 1.23.2
nixos-25.11 1.11.14
- nixos-25.11-small 1.11.14
- nixpkgs-25.11-darwin 1.11.14

pkgs.stardust-xr-gravity

Utility to launch apps and stardust clients at an offet

nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
nixos-25.11 0-unstable-2024-12-29
- nixos-25.11-small 0-unstable-2024-12-29
- nixpkgs-25.11-darwin 0-unstable-2024-12-29

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

nixos-unstable 26.04.0
- nixpkgs-unstable 26.04.1
- nixos-unstable-small 26.04.1
nixos-25.11 25.08.3
- nixos-25.11-small 25.08.3
- nixpkgs-25.11-darwin 25.08.3