CVE-2026-57518

Pagekit CMS 1.0.18 Privilege Escalation via UserApiController

CVSS 8.7 HIGHEPSS 0.5%CWE-862

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

26 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to missing authorization checks in UserApiController::saveAction(). Attackers can assign themselves a custom role with the 'system: manage packages' permission and then upload and install a malicious PHP package through the admin package installer to achieve remote code execution.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

pagekit · pagekit

public PoCs found — 1

cve_referencegist.github.com/sermikr0/6f0a67e9d101746fcdb04827de137847unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/sermikr0/6f0a67e9d101746fcdb04827de137847 https://www.vulncheck.com/advisories/pagekit-cms-privilege-escalation-via-userapicontroller