CVE-2025-67164: Pagekit CMS is vulnerable to OS Command Injection via Storage component

December 17, 2025 (updated December 18, 2025)

An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.

The project is archived as of December 1, 2023.

References

github.com/advisories/GHSA-m4f2-xpfq-h97v
github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67164
github.com/pagekit/pagekit
nvd.nist.gov/vuln/detail/CVE-2025-67164

Code Behaviors & Features

Detect and mitigate CVE-2025-67164 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →