mediumCVE-2026-59193

CVE-2026-59193 Grav CMS vulnerability

Grav is a file-based Web platform. Prior to 2.0.0, an authenticated admin.super user can crash Grav or fill the disk by uploading a specially crafted ZIP archive through the Direct Install tool because Installer::unZip calls ZipArchive::extractTo without limits on uncompressed size, entry count, or directory depth. This issue is fixed in version 2.0.0.

ProductGrav CMS
CVSS6.9
EPSS0.0039
UpdatedJuly 12, 2026

Quick answer

Grav CMS should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Grav before 2.0.0

Fixed versions

  • 2.0.0

How to fix it

CVE-2026-59193 affects Grav before 2.0.0 when an authenticated admin.super user uploads a crafted ZIP through the Direct Install tool. The issue can crash Grav or consume disk space because archive extraction did not limit uncompressed size, entry count, or directory depth. Upgrade Grav to 2.0.0 or a later supported release. Until upgraded, restrict Direct Install access to fully trusted administrators and avoid installing untrusted ZIP packages.

  1. Inventory Grav sites, admin panels, Direct Install usage, plugins, themes, and deployment automation that can install ZIP packages.
  2. Identify Grav versions before 2.0.0 and prioritize internet-facing admin panels or shared administrator environments.
  3. Upgrade Grav core to 2.0.0 or a later supported release and update plugins/themes through the supported channel.
  4. Restrict admin.super and Direct Install access to trusted administrators while remediation is pending.
  5. Block or review untrusted ZIP uploads and enforce host-level disk quotas and monitoring around Grav temp and cache directories.
  6. Review logs and filesystem usage for failed installs, unusually large extracted files, deep directory trees, or disk exhaustion.
  7. If availability was impacted, clean temporary extraction folders, restore disk capacity, and preserve suspicious archive samples for analysis.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Grav reports version 2.0.0 or a later supported release.
  • Confirm Direct Install rejects or safely bounds highly compressed archives, excessive entries, and deep directory structures.
  • Confirm only trusted administrators retain admin.super and package installation permissions.
  • Review disk, cache, temp, and backup directories after patching for leftover extraction artifacts.
  • Document patched version, permission changes, disk cleanup, and test evidence, then rerun Fixnx or the relevant scan where applicable.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59193?

Grav CMS versions listed as affected should be reviewed: Grav before 2.0.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.