Medium severity6.5GHSA Advisory· Published May 9, 2026· Updated May 18, 2026
CVE-2026-42137
CVE-2026-42137
Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
getkirby/cmsPackagist | < 4.9.0 | 4.9.0 |
getkirby/cmsPackagist | >= 5.0.0, < 5.4.0 | 5.4.0 |
Affected products
3Patches
Vulnerability mechanics
References
4- github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8cnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-85x2-r8xv-ww8cghsaADVISORY
- github.com/getkirby/kirby/releases/tag/4.9.0nvdRelease NotesWEB
- github.com/getkirby/kirby/releases/tag/5.4.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.