cvedb.io
CVE-2025-70866
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-02-13T22:16:09.923 · Last modified 2026-06-17T10:03:26.133

Summary

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.

Affected products

lavalite — lavalite

Does this affect you?

Add your gear to cvedb and we'll alert you only when lavalite ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.