Vulnerability Description
CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Couchcms | Couchcms | <= 2.4 |
Related Weaknesses (CWE)
References
- https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1ExploitThird Party Advisory
- https://www.couchcms.com/Product
- https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levelThird Party Advisory
FAQ
What is CVE-2026-29002?
CVE-2026-29002 is a vulnerability with a CVSS score of 7.2 (HIGH). CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation reques...
How severe is CVE-2026-29002?
CVE-2026-29002 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29002?
Check the references section above for vendor advisories and patch information. Affected products include: Couchcms Couchcms.