CVE-2025-67165
CRITICAL9.8EPSS 0.13%Pagekit CMS has an Insecure Direct Object Reference (IDOR) in its User Role component
Published: 12/17/2025Modified: 12/18/2025
Also known as:GHSA-w3j8-9p3j-3wjx
Description
An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. The project was archived as of December 1, 2023.
Affected packages (1)
- Packagist/pagekit/pagekitfrom 0, <= 1.0.18
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67165
- PATCHhttps://github.com/pagekit/pagekit
- WEBhttps://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165
- WEBhttps://github.com/pagekit/docs/blob/develop/user-interface/users.md#permissions
- WEBhttps://github.com/pagekit/docs/blob/develop/user-interface/users.md#roles