Vuejs-Pagekit: PageKit - Modular and lightweight CMS built with Symfony components and Vue.js.

Pagekit Banner


Build Status Discord

Pagekit is a modular and lightweight CMS built with Symfony components and Vue.js.

Pagekit is an Open Source project developed by YOOtheme.

Download release (recommended)

  1. Download the latest release.
  2. Extract the archive and copy the extracted folder to your webserver.
  3. Open the extracted url in your browser, i.e. http://localhost/pagekit and follow the installer.

Install from source

If you want to run the current development version, you can install Pagekit from source.


Pagekit offers a set of commands to run usual tasks on the command line. You can see the available commands with

./pagekit --help


Finding bugs, sending pull requests, translating Pagekit or improving our docs - any contribution is welcome and highly appreciated. To get started, head over to our contribution guidelines. Thanks!

Copyright and License

Copyright YOOtheme GmbH under the MIT license.


Half Dome Photo by Brendan Lynch / CC BY


  • Support Rest API
    Support Rest API

    Feb 15, 2021

    the project has an API to consume users, content and all that?

  • Uncaught Error: Class 'Doctrine\Common\Annotations\AnnotationRegistry' not found
    Uncaught Error: Class 'Doctrine\Common\Annotations\AnnotationRegistry' not found

    Feb 28, 2021


    After migrating to another server, even Pagekit-cli does not not work:

    PHP Fatal error: Uncaught Error: Class 'Doctrine\Common\Annotations\AnnotationRegistry' not found in /var/www/vhosts/domain/httpdocs/autoload.php:31 Stack trace: #0 /var/www/vhosts/domain/httpdocs/app/console/app.php(8): require() #1 /var/www/vhosts/domain/httpdocs/index.php(42): require_once('/var/www/vhosts...') #2 /var/www/vhosts/domain/httpdocs/pagekit(8): require_once('/var/www/vhosts...')

    Technical Details

    • Pagekit version: latest
    • Webserver: Apache 2.4
    • Database: SQLite
    • PHP Version: 7.3/7.4
  • PageKit > Cross-site scripting (DOM-based)
    PageKit > Cross-site scripting (DOM-based)

    Mar 4, 2021


    We have run BurpSuit(Security Scan tool) on our PageKit project and it was providing high-risk bugs in codemirror.js which is internally used in editor.js in Pagekit.

    Report Details

    Cross-site scripting (DOM-based)


    Issue detail:

    The application may be vulnerable to DOM-based cross-site scripting. Data is read from textarea.value and passed to jQuery.html.

    Issue background

    DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.

    DOM-based cross-site scripting arises when a script writes controllable data into the HTML document in an unsafe way. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

    The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

    Users can be induced to visit the attacker's crafted URL in various ways, similar to the usual attack delivery vectors for reflected cross-site scripting vulnerabilities.

    Burp Suite automatically identifies this issue using static code analysis, which may lead to false positives that are not actually exploitable. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.

    Issue remediation

    The most effective way to avoid DOM-based cross-site scripting vulnerabilities is not to dynamically write data from any untrusted source into the HTML document. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from introducing script code into the document. In many cases, the relevant data can be validated on a whitelist basis, to allow only content that is known to be safe. In other cases, it will be necessary to sanitize or encode the data. This can be a complex task, and depending on the context that the data is to be inserted may need to involve a combination of JavaScript escaping, HTML encoding, and URL encoding, in the appropriate sequence.


    Vulnerability classifications


    GET /admin/site/page/edit?id=page&menu=administrator HTTP/1.1 Host: Cookie: pagekit_session=in8ah866le3ra2krdp04ttvtd9; pagekit_auth=BBheftEBY9AqeDiqdBmcdBGdVBR8XiQ8.LjejPpWLZo%2FeZyydLRM%2FFfPX84MBq6v; current_role=MQ%3D%3D; remember_ses=in8ah866le3ra2krdp04ttvtd9 Upgrade-Insecure-Requests: 1 Referer: Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Cache-Control: max-age=0 Accept-Encoding: gzip, deflate


    HTTP/1.1 200 OK Date: Thu, 04 Feb 2021 15:46:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 19195 Connection: close Server: Apache Vary: X-Forwarded-Proto,Accept-Encoding Set-Cookie: remember_ses=in8ah866le3ra2krdp04ttvtd9; expires=Sat, 06-Feb-2021 15:46:55 GMT; Max-Age=172800; path=/; secure; HttpOnly Cache-Control: private, max-age=0, no-store, max-age=0 Set-Cookie: current_role=MQ%3D%3D; expires=Fri, 04-Feb-2022 15:46:55 GMT; Max-Age=31536000; path=/; secure; HttpOnly Set-Cookie: remember_ses=in8ah866le3ra2krdp04ttvtd9; expires=Sat, 06-Feb-2021 15:46:55 GMT; Max-Age=172800; path=/; secure; HttpOnly Cache-Control: no-cache Expires: Thu, 04 Feb 2021 15:46:55 GMT

    <!DOCTYPE html> <html lang="en-US"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, i


    Dynamic analysis:

    Data is read from textarea.value and passed to jQuery.html.

    • The following value was injected into the source:

    • The previous value reached the sink:

    • The stack trace at source was:

      at HTMLTextAreaElement.get [as value] (<anonymous>:1:765266)
      at Function.v.fromTextArea (
      at o.init (
      at new o (
      at Object.<computed> [as htmleditor] (
      at VueComponent.<anonymous> (
    • The stack trace at the sink was:

      at Object.apply (<anonymous>:1:940882)
      at o.render (
      at o.disableMarkdown (
      at HTMLTextAreaElement.disableMarkdown (
      at HTMLTextAreaElement.dispatch (
      at HTMLTextAreaElement.r.handle (
      at Object.trigger (
      at HTMLTextAreaElement.<anonymous> (
      at Function.each (
      at Object.each (
      at Object.trigger (
      at o.trigger (
      at VueComponent.$watch.immediate (
      at VueComponent.t.$watch (
      at VueComponent.<anonymous> (
    • This was triggered by a load event.

    Is there any way to fix this issue? Thanks in advance!!

    Technical Details

    • Pagekit version: 1.0.13
    • Webserver: Apache
    • Database: 5.6.10
    • PHP Version: 7.3.19
  • A stored XSS has been found  in PageKit CMS affecting versions  1.0.18.
    A stored XSS has been found in PageKit CMS affecting versions 1.0.18.

    Apr 30, 2021


    A user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" that will point to http://localhost/pagekit/storage/exp.svg. When a user comes along to click that link, it will trigger a XSS attack.

    pagekit com_xss


    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">
    <svg version="1.1" baseProfile="full" xmlns="">
    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
    <script type="text/javascript">

    Technical Details

    • Pagekit version: 1.0.18.
    • Webserver: nginx1.15.11
    • Database: MySQL5.7.26
    • PHP Version: 7.3.4
  • 500 Internal Server Error
    500 Internal Server Error

    Jun 14, 2021

    500 Internal Server Error

    'The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log.

    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request."

    Technical Details

    • Pagekit version: 2 years Old & tried latest build 1.0.18
    • Webserver: WHM
    • Database: MYSQL 5.6
    • PHP Version: 5.6 - 7.3
  • update license year
    update license year

    Jan 2, 2022

    update license year

  • Error ZipArchive must be available Fix Install and enable the ZIP extension.
    Error ZipArchive must be available Fix Install and enable the ZIP extension.

    Jul 22, 2014 php-zip, curl et.c. installed have an ideas?

  • Impossible to connect to the database
    Impossible to connect to the database

    Aug 7, 2014

    Somthing strange going on. I couldn't compleet third installation of Pagekit. Previos two atempts didn't cause any problems. But now Pagekit couldn't connect to data base. can't imagine what happened.

  • Regular WYSIWIG editor
    Regular WYSIWIG editor

    Aug 4, 2014

    The current editor is very user unfriendly. Any CMS should have at least one modern WYSIWIG editor. This editor is almost unusable for regular website builders, CMS users and authors.

  • [Bug] Warning when installing 0.9
    [Bug] Warning when installing 0.9

    Sep 10, 2015

    When I install 0.9 on OSX Yosemite + Apache (installed with macports), with PHP 5.6.13 instlled as Apache module I have the next response when trying to configure MySQL connection:

    <br />
    <b>Deprecated</b>:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in <b>Unknown</b> on line <b>0</b><br />
    <br />
    <b>Warning</b>:  Cannot modify header information - headers already sent in <b>Unknown</b> on line <b>0</b><br />
    {"status":"no-connection","message":"Database connection failed!"}

    "Connection failed" is ok, but warning probably is not :)

  • Config options in database not consistently displayed in config()
    Config options in database not consistently displayed in config()

    Jun 24, 2016

    Make sure to provide the following details when submitting your issue. Remove anything that doesn't apply for your scenario. Thanks!


    So the title might not be the clearest, but when using App::module('shoutzor')->config('liquidsoap'); it will only show the default config settings as set in the index.php file, whereas App::config()->get('liquidsoap') will display the changes to config settings as stored in the database.

    This is very inconsistent behaviour and IMO not something that would be expected, is this a bug or intended?


    $baseConfig = App::module('shoutzor')->config('liquidsoap'); //Only returns default values as stored in index.php
    $config = App::config('liquidsoap')->toArray(); //only returns values that are stored in the DB, it doesn't first fetch the default values from index.php (if nothing is saved before, that means 0 results)
    $config = array_merge($baseConfig, $config); //only now you have a proper list of values including changes as stored in the database

    Technical Details

    • Pagekit version:1.0.3
    • Webserver: Apache
    • Database: MySQL 5.6.31
    • PHP Version: 5.6.20-0+deb8u1


    • [x] I have enabled debug mode:
    • [X] I have verified the server requirements:
    • [X] I have tried disabling all installed extensions
    • [X] I have checked the browser developer console for JavaScript errors
  • Tree Page View
    Tree Page View

    Jul 30, 2014

    We are currently discussing to add a Tree Page View to Pagekit. It will show a hierarchical view of all the site's pages. With a growing number of pages, sites can get hard to manage.

    The Tree Page View will give an overview of the site's page structure. The hierarchy will make it easy to spot pages.

    Within the tree it will be possible to view, add, edit and filter pages. To mount (drag and drop) pages underneath other pages.

    A page can be anything from a simple page to a blog, a blog post or a shop site. They will have a slug, that'll define their url.

    Pages will have access rights which they can inherit from their parents. Further they can be assigned widgets. Which makes it much clearer, what widgets will be shown on what page.

    Through this change, the backend ui will be drastically simplified. There will no longer be a separate pages, menu, widgets and alias view. All this functionality will be managed clearly arranged in one place.

    Users will have a much easier time finding, why content under a certain URL is shown and to edit that content.

    The discussion focusses mainly around the question of whether the Tree Page View will show the menu structure of the site, already with separators and menu headers. Or if that will be moved to separate menu widgets.