VYPR
Medium severity6.5GHSA Advisory· Published May 9, 2026· Updated May 18, 2026

CVE-2026-42137

CVE-2026-42137

Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getkirby/cmsPackagist
< 4.9.04.9.0
getkirby/cmsPackagist
>= 5.0.0, < 5.4.05.4.0

Affected products

3
  • Getkirby/KirbyGHSA2 versions
    >= 5.0.0, <= 5.3.3+ 1 more
    • (no CPE)range: >= 5.0.0, <= 5.3.3
    • cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*range: <4.9.0
  • ghsa-coords
    Range: < 4.9.0

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.