CVE-2026-6652 MEDIUM

CVE-2026-6652: Pagekit CMS StringStorage Template PhpEngine.php evaluate eval injection

Vendor Pagekit
Product CMS
Weakness CWE-95 · Eval injection
Published April 20, 2026
Last update April 20, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. This manipulation causes improper neutralization of directives in dynamically evaluated code. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

April 20, 2026 CVE published
April 20, 2026 Record updated