PatchSiren cyber security CVE debrief
CVE-2017-5594 Pagekit CVE debrief
CVE-2017-5594 was published on 2017-01-25 and describes a password-reset weakness in Pagekit CMS before 1.0.11 when the debug toolbar is enabled. NVD rates the issue HIGH with a 7.5 score and maps it to CWE-640. The documented fix is available in the Pagekit commit referenced by NVD, and the official CVE/NVD records confirm the affected version range.
- Vendor
- Pagekit
- Product
- CVE-2017-5594
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-25
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-25
- Advisory updated
- 2026-05-13
Who should care
Organizations running Pagekit CMS 1.0.10 or earlier, especially any deployment where the debug toolbar may be enabled or reachable in production. Administrators responsible for account security and application hardening should treat this as a priority.
Technical summary
NVD lists Pagekit CMS versions up to and including 1.0.10 as vulnerable. The issue is described as a remote attacker being able to reset a registered user's password when the debug toolbar is enabled, which can lead to account compromise. The NVD CVSS vector is AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting network reachability, required user interaction, and high impact. NVD assigns CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
Defensive priority
High for any exposed or actively used Pagekit deployment on affected versions, because the impact is account takeover and the fix is version-based. Priority is especially high if the debug toolbar cannot be confirmed disabled in all environments.
Recommended defensive actions
- Upgrade Pagekit CMS to version 1.0.11 or later.
- Disable the debug toolbar in production and confirm it is not exposed to unauthenticated users.
- Review account and password-reset activity for unexpected changes on affected systems.
- Validate that no affected Pagekit instances remain in staging, test, or forgotten deployments.
- Use the vendor patch commit and NVD record to confirm remediation scope before and after upgrade.
Evidence notes
CVE and NVD records both list Pagekit CMS before 1.0.11 as affected. The NVD entry published with the CVE gives CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H and CWE-640. The NVD reference list includes a Pagekit commit identified as the patch, a SecureLayer7 technical report, and third-party exploit references; this debrief relies on the official records and patch reference for defensive guidance. Published date used here is the CVE publish timestamp from the supplied timeline, not the later source modification timestamp.
Official resources
-
CVE-2017-5594 CVE record
CVE.org
-
CVE-2017-5594 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Technical Description, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Publicly disclosed in 2017; the supplied CVE timeline shows publishedAt 2017-01-25T18:59:00.153Z and later modifiedAt 2026-05-13T00:24:29.033Z. This debrief uses the CVE published date for issue timing.