PT-2026-8034 · Unknown · Lavalite Cms
Published
2026-02-13
·
Updated
2026-02-19
·
CVE-2025-70866
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LavaLite CMS version 10.1.0
Description
An authenticated user with low-level privileges (User role) can access the admin backend by logging in through the
/admin/login endpoint. This occurs because the admin and user authentication guards share the same user provider without role-based access control verification. The vulnerable parameter is the user's authentication credentials.Recommendations
Apply role-based access control verification to the user provider used by both admin and user authentication guards.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lavalite Cms