Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
LavaLite CMS 10.1.0 Allows Low-Privilege Users to Access Admin Panel
CVE-2025-70866
Summary
A security flaw in LavaLite CMS 10.1.0 lets users with limited permissions log in to the admin area without proper authorization. This could allow them to make changes to the site's settings or data. To protect your site, update to a fixed version of LavaLite CMS as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lavalite | lavalite | 10.1.0 | – |
Original title
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. ...
Original description
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification.
nvd CVSS3.1
8.8
Vulnerability type
CWE-284
Improper Access Control
- https://gist.github.com/gkjzjh146/6d541c80b0666a596581ccd85bd10058 Exploit Third Party Advisory
- https://github.com/LavaLite/cms/releases/tag/v10.1.0 Product Release Notes
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026