CVE-2026-6652

EUVD-2026-23878

20.04.2026, 16:16

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
VulDB	CNA	4.7 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
pagekit	pagekit	1.0.0	CNA
pagekit	pagekit	1.0.1	CNA
pagekit	pagekit	1.0.2	CNA
pagekit	pagekit	1.0.3	CNA
pagekit	pagekit	1.0.4	CNA
pagekit	pagekit	1.0.5	CNA
pagekit	pagekit	1.0.6	CNA
pagekit	pagekit	1.0.7	CNA
pagekit	pagekit	1.0.8	CNA
pagekit	pagekit	1.0.9	CNA
pagekit	pagekit	1.0.10	CNA
pagekit	pagekit	1.0.11	CNA
pagekit	pagekit	1.0.12	CNA
pagekit	pagekit	1.0.13	CNA
pagekit	pagekit	1.0.14	CNA
pagekit	pagekit	1.0.15	CNA
pagekit	pagekit	1.0.16	CNA
pagekit	pagekit	1.0.17	CNA
pagekit	pagekit	1.0.18	CNA

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://medium.com/@pkhuyar/the-danger-of-php-eval-a23410187ca2

https://vuldb.com/submit/794186

https://vuldb.com/vuln/358286

https://vuldb.com/vuln/358286/cti