Description
Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to missing authorization checks in UserApiController::saveAction(). Attackers can assign themselves a custom role with the 'system: manage packages' permission and then upload and install a malicious PHP package through the admin package installer to achieve remote code execution.
Published: 2026-06-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users possessing the 'user: manage users' permission to create arbitrary custom roles with elevated privileges. The missing authorization check in UserApiController::saveAction() lets an attacker self-assign a custom role that grants 'system: manage packages', enabling upload and installation of malicious PHP packages via the admin package installer, resulting in remote code execution. This flaw illustrates a classic Missing Authorization weakness (CWE-862) and could compromise the confidentiality, integrity, and availability of the affected site.

Affected Systems

The vulnerability affects Pagekit CMS version 1.0.18 and, by extension, any systems running that exact release. The product is provided by the vendor Pagekit. No finer version granularity is available in the CVE record, so any deployment of Pagekit CMS 1.0.18 should be considered at risk unless a patch has been applied.

Risk and Exploitability

The CVSS score of 8.7 signals a high‑severity flaw, and while an EPSS score is not available, the lack of mitigation information and the ability for an attacker to elevate privileges at will indicate that exploitation is likely if the vulnerable package is in use. The issue is not currently listed in the CISA KEV catalog, but the described attack path—self‑assigning a privileged role and installing code—provides a low‑effort vector that can achieve remote code execution if the attacker can authenticate to the site. Administrators should treat this as a high‑risk vulnerability that requires prompt remediation.

Generated by OpenCVE AI on June 26, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Pagekit CMS update that removes the missing authorization check in UserApiController, ensuring that only administrators can assign custom roles.
  • If an update cannot be deployed immediately, restrict the 'user: manage users' permission to a minimal set of trusted administrative accounts and disable the ability for normal users to create or modify custom roles.
  • Disable the admin package installer or enforce a review process for uploaded PHP packages, limiting package installation to a controlled set of extensions only.

Generated by OpenCVE AI on June 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Pagekit
Pagekit pagekit
Vendors & Products Pagekit
Pagekit pagekit

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to missing authorization checks in UserApiController::saveAction(). Attackers can assign themselves a custom role with the 'system: manage packages' permission and then upload and install a malicious PHP package through the admin package installer to achieve remote code execution.
Title Pagekit CMS 1.0.18 Privilege Escalation via UserApiController
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pagekit Pagekit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T18:41:46.008Z

Reserved: 2026-06-24T15:58:58.537Z

Link: CVE-2026-57518

cve-icon Vulnrichment

Updated: 2026-06-26T18:14:31.926Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:00:08Z

Weaknesses