CVE-2026-6652

Summary

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
PagekitCMS1.0.0affected
PagekitCMS1.0.1affected
PagekitCMS1.0.2affected
PagekitCMS1.0.3affected
PagekitCMS1.0.4affected
PagekitCMS1.0.5affected
PagekitCMS1.0.6affected
PagekitCMS1.0.7affected
PagekitCMS1.0.8affected
PagekitCMS1.0.9affected
PagekitCMS1.0.10affected
PagekitCMS1.0.11affected
PagekitCMS1.0.12affected
PagekitCMS1.0.13affected
PagekitCMS1.0.14affected
PagekitCMS1.0.15affected
PagekitCMS1.0.16affected
PagekitCMS1.0.17affected
PagekitCMS1.0.18affected

Weaknesses

  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References