EUVD-2026-25659Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was identified in pagekit up to 1.0.18. Affected by this issue is some unknown functionality of the file /index.php/admin/system/update/download. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires valid Pagekit administrator credentials with high privilege level (indicated by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS score of 4.7 (Medium) reflects the narrow attack surface: exploitation requires high-privilege administrator (PR:H) access over an unauthenticated network channel (AV:N/AC:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with compromised Pagekit admin credentials (e.g., from a weak password or data breach) logs into the admin panel, navigates to System > Update, and modifies the download URL parameter to point to an internal service (e.g., http://localhost:8080/admin or http://internal-api.local/sensitive-data). The server processes the request and returns the response to the attacker, revealing internal service behavior, API endpoints, or sensitive data. … |
| Remediation | Upgrade Pagekit to a version after 1.0.18 if available; if no newer release exists, apply strict network-level access controls to the Pagekit admin interface. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today