{"variant_id": "pruva-cve-2026-57518-variant-updatecontroller-rce", "created_at": "2026-07-05T14:07:41Z", "variant_summary": "Distinct alternate RCE sink: the same UserApiController::saveAction() privilege escalation (only blocks Administrator role id=3) grants the trusted 'system: software updates' permission instead of 'system: manage packages', unlocking a SECOND independent RCE sink \u2014 UpdateController::downloadAction + updateAction drive SelfUpdater::update() to extract an attacker-crafted 'update' ZIP over the Pagekit web root, dropping a webshell that Apache executes directly. RCE as www-data confirmed (uid=33). No patched version exists (project archived), so this is an alternate trigger/sink, not a bypass of a released fix.", "relation": "newer_version_sibling", "origin_kind": "pruva_variant", "repository": "pagekit/pagekit", "submitted_target": {"target_kind": "release", "commit_sha": "95446c5f08fc43993fad5e2b581743ffcce50c35", "version": "1.0.18", "ref": "1.0.18", "display": "pagekit/pagekit 1.0.18 (release tag, commit 95446c5)"}, "variant_target": {"target_kind": "release", "commit_sha": "95446c5f08fc43993fad5e2b581743ffcce50c35", "version": "1.0.18", "ref": "1.0.18", "display": "pagekit/pagekit 1.0.18 (release tag, commit 95446c5) \u2014 only available version; no fixed ref exists"}, "same_root_cause_confidence": "high", "same_surface_confidence": "medium", "claimed_surface": "api_remote", "validated_surface": "api_remote", "required_entrypoint_kind": "api_remote", "required_entrypoint_detail": "Authenticated low-privileged user with 'user: manage users' calls POST /api/user/{id} to self-assign a custom role carrying 'system: software updates' + 'system: access admin area' (saveAction only blocks Administrator role id=3), then POST /admin/system/update/download (attacker-controlled url, file:// accepted) + POST /admin/system/update/update (SelfUpdater extracts ZIP over web root), then GET /<webshell>.php?cmd=id for RCE.", "attacker_controlled_input": "roles array in POST /api/user/{id} (custom role id not 3); url parameter in POST /admin/system/update/download (file:///path to crafted update ZIP); contents of the crafted update ZIP (app/installer/requirements.php + root-level webshell); cmd query parameter to the extracted webshell", "trigger_path": "POST /api/user/{id} roles=[2,<updater_role_id>] -> saveAction (only blocks id=3) -> editor gains system: software updates -> POST /admin/system/update/download url=file:///...evil_update.zip -> POST /admin/system/update/update -> SelfUpdater::update extracts rce_variant.php to /var/www/html/ -> GET /rce_variant.php?cmd=id", "observed_impact_class": "code_execution", "exploitability_confidence": "high", "evidence_scope": "production_path", "runtime_manifest_present": true, "end_to_end_target_reached": true, "inferred": false, "claim_block_reason": null, "blocking_mitigation": null, "file_path": "app/system/modules/user/src/Controller/UserApiController.php", "line_start": 178, "line_end": 183, "secondary_anchors": [{"file_path": "app/installer/src/Controller/UpdateController.php", "line_start": 30, "line_end": 60}, {"file_path": "app/installer/src/SelfUpdater.php", "line_start": 48, "line_end": 95}, {"file_path": "app/installer/index.php", "line_start": 110, "line_end": 116}], "review_scope_paths": ["app/system/modules/user/src/Controller/UserApiController.php", "app/installer/src/Controller/UpdateController.php", "app/installer/src/SelfUpdater.php", "app/installer/src/Controller/PackageController.php", "app/system/modules/user/src/Controller/RoleApiController.php", "app/system/modules/user/src/Controller/ProfileController.php", "app/system/modules/user/src/Controller/RegistrationController.php", "app/system/modules/user/src/Model/Role.php", "app/system/modules/user/src/Event/AccessListener.php", "app/installer/index.php", "app/system/modules/user/index.php"], "artifact_refs": {"variant_manifest": "vuln_variant/variant_manifest.json", "validation_verdict": "vuln_variant/validation_verdict.json", "runtime_manifest": "vuln_variant/runtime_manifest.json", "repro_log": "logs/vuln_variant/reproduction_steps.log", "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json", "reproducer": ["vuln_variant/reproduction_steps.sh"]}}