Description
A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

This vulnerability lies in the evaluate function of the StringStorage Template Handler in Pagekit CMS up to version 1.0.18. The function uses PHP's eval without properly neutralizing directives in dynamically evaluated code, allowing a malicious user to inject and execute arbitrary PHP code on the server. The weakness is classified as code injection (CWE‑94) and eval injection (CWE‑95). Remote attackers can exploit the flaw through web inputs that reach the evaluate routine, leading to full remote code execution on the affected system.

Affected Systems

The flaw affects Pagekit CMS installations running any version up to and including 1.0.18. The vulnerable code resides in app/modules/view/src/PhpEngine.php within the StringStorage Template Handler component. All sites that rely on this component for rendering templates without a newer fixed release are susceptible.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate baseline severity, but the publicly available exploit elevates the practical risk. Because the attack vector is remote, the exploitation requires only access to parts of the CMS that submit or process templates. Although the vulnerability is not listed in the CISA KEV catalog, the existence of a public exploit and the lack of vendor response increase the likelihood of abuse. Administrators should treat this as a medium-risk flaw that could enable remote code execution if not addressed promptly.

Generated by OpenCVE AI on April 20, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a vendor patch or newer release that removes the vulnerable evaluate call is available, and apply it as soon as possible.
  • Restrict template editing and execution so that only trusted administrators can submit or process templates that invoke the StringStorage Template Handler. This limits the attack surface to privileged users.
  • Sanitize template inputs to remove any PHP delimiters or code that could trigger eval, ensuring that only pure template content is processed.

Generated by OpenCVE AI on April 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Pagekit CMS StringStorage Template PhpEngine.php evaluate eval injection
Weaknesses CWE-94
CWE-95
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T16:14:56.950Z

Reserved: 2026-04-20T05:58:31.133Z

Link: CVE-2026-6652

cve-icon Vulnrichment

Updated: 2026-04-20T16:09:29.534Z

cve-icon NVD

Status : Received

Published: 2026-04-20T16:16:56.013

Modified: 2026-04-20T16:16:56.013

Link: CVE-2026-6652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses