Cyber Resilience

CVE-2025-70866

HighPublic PoC

Published: 13 February 2026

Published
13 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 35.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70866 is a high-severity Improper Access Control (CWE-284) vulnerability in Lavalite Lavalite. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

LavaLite CMS version 10.1.0 is affected by CVE-2025-70866, an Incorrect Access Control vulnerability published on 2026-02-13. The flaw allows an authenticated user with low-level privileges, specifically the User role, to directly access the admin backend by logging in through the /admin/login endpoint. This occurs because the admin and user authentication guards share the same user provider without role-based access control verification. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284.

An attacker requires only a valid low-privilege User role account to exploit this over the network with low complexity and no user interaction. By logging into the /admin/login endpoint, the attacker bypasses intended restrictions and gains full access to the admin backend, enabling high-impact actions that compromise confidentiality, integrity, and availability of the CMS, such as modifying sensitive data or administrative settings.

Key references include a GitHub gist at https://gist.github.com/gkjzjh146/6d541c80b0666a596581ccd85bd10058, likely detailing the issue or proof-of-concept, and the LavaLite CMS release page for v10.1.0 at https://github.com/LavaLite/cms/releases/tag/v10.1.0. Security practitioners should consult these sources for further technical details and any guidance on remediation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the…

more

same user provider without role-based access control verification.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The access control flaw directly enables an authenticated low-privilege account to reach the admin backend, constituting exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20628Shared CWE-284
CVE-2025-48619Shared CWE-284
CVE-2025-21405Shared CWE-284
CVE-2026-24303Shared CWE-284
CVE-2026-24290Shared CWE-284
CVE-2026-41086Shared CWE-284
CVE-2026-48904Shared CWE-284
CVE-2026-35243Shared CWE-284
CVE-2025-24076Shared CWE-284
CVE-2024-38310Shared CWE-284

Affected Assets

lavalite
lavalite
10.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations including role-based checks to block low-privilege users from accessing the admin backend via shared authentication guards.

prevent

Applies least privilege principle to explicitly limit User role access to administrative functions, preventing privilege escalation.

prevent

Mandates access control decisions based on role attributes, directly countering the absence of role verification in admin login.

References