automatic module_metadata_base.json update

jenkins-metasploit · jenkins-metasploit · commit ba059417a39a · 2026-03-31T12:57:11.000Z
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -110387,6 +110387,66 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/grav_admin_direct_install_rce_cve_2025_50286": {
+    "name": "Grav CMS Admin Direct Install Authenticated Plugin Upload RCE",
+    "fullname": "exploit/multi/http/grav_admin_direct_install_rce_cve_2025_50286",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-08-07",
+    "type": "exploit",
+    "author": [
+      "binneko",
+      "x1o3"
+    ],
+    "description": "Grav CMS version <=1.7.49.5 with Admin Plugin version <=1.10.49.3 is\n          vulnerable to authenticated remote code execution via the\n          \"Direct Install\" feature in the administrative interface.\n\n          An authenticated administrator can upload a crafted plugin\n          archive containing arbitrary PHP code. The uploaded plugin\n          is written to disk and executed by the application, allowing\n          command execution in the context of the web server user.\n\n          This module authenticates to the admin panel, uploads a\n          malicious plugin via /admin/tools/direct-install, and\n          triggers execution of the embedded payload.",
+    "references": [
+      "CVE-2025-50286",
+      "EDB-52402",
+      "URL-https://github.com/getgrav/grav"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP Payload"
+    ],
+    "mod_time": "2026-03-27 11:45:20 +0000",
+    "path": "/modules/exploits/multi/http/grav_admin_direct_install_rce_cve_2025_50286.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/grav_admin_direct_install_rce_cve_2025_50286",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/grav_twig_ssti_sandbox_bypass_rce": {
     "name": "Grav CMS Twig SSTI Authenticated Sandbox Bypass RCE",
     "fullname": "exploit/multi/http/grav_twig_ssti_sandbox_bypass_rce",
