Packagist (Composer) package

getkirby/cms

pkg:composer/getkirby/cms

Vulnerabilities (35)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42174	Med	4.3	< 4.9.0	4.9.0	May 9, 2026	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42137	Med	6.5	< 4.9.0	4.9.0	May 9, 2026	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42069	Med	6.5	< 4.9.0	4.9.0	May 9, 2026	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42051	Med	4.3	< 4.9.0	4.9.0	May 9, 2026	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-41325	Hig	8.8	< 4.9.0	4.9.0	Apr 24, 2026	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also pos
CVE-2026-40099	Med	6.5	< 4.9.0	4.9.0	Apr 24, 2026	Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also pos
CVE-2026-34587	Hig	8.1	< 4.9.0	4.9.0	Apr 24, 2026	Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blu
CVE-2026-32870	Hig	7.5	< 4.9.0	4.9.0	Apr 24, 2026	Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,
CVE-2026-29905	Med	6.5	< 5.2.0-rc.1	5.2.0-rc.1	Mar 26, 2026	Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to p
CVE-2026-21896		—	>= 5.0.0, < 5.2.2	5.2.2	Jan 8, 2026	Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actio
CVE-2025-65012		—	>= 5.0.0, < 5.1.4	5.1.4	Nov 18, 2025	Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for
CVE-2025-31493		—	< 3.9.8.3	3.9.8.3	May 13, 2025	Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends
CVE-2025-30207		—	< 3.9.8.3	3.9.8.3	May 13, 2025	Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as
CVE-2024-41964		—	< 3.6.6.6	3.6.6.6	Aug 29, 2024	Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enfor
CVE-2024-27087		—	>= 4.0.0, < 4.1.1	4.1.1	Feb 26, 2024	Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined li
CVE-2024-26483		—	< 3.6.6.5	3.6.6.5	Feb 22, 2024	An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
CVE-2024-26482		—	<= 4.1.0	—	Feb 22, 2024	An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's
CVE-2024-26481		—	< 3.6.6.5	3.6.6.5	Feb 22, 2024	Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
CVE-2023-38492		—	< 3.5.8.3	3.5.8.3	Jul 27, 2023	Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, h
CVE-2023-38491		—	< 3.5.8.3	3.5.8.3	Jul 27, 2023	Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary fi

CVE-2026-42174MedMay 9, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42137MedMay 9, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42069MedMay 9, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-42051MedMay 9, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
CVE-2026-41325HigApr 24, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also pos
CVE-2026-40099MedApr 24, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also pos
CVE-2026-34587HigApr 24, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blu
CVE-2026-32870HigApr 24, 2026
affected < 4.9.0fixed 4.9.0
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,
CVE-2026-29905MedMar 26, 2026
affected < 5.2.0-rc.1fixed 5.2.0-rc.1
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to p
CVE-2026-21896Jan 8, 2026
affected >= 5.0.0, < 5.2.2fixed 5.2.2
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actio
CVE-2025-65012Nov 18, 2025
affected >= 5.0.0, < 5.1.4fixed 5.1.4
Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for
CVE-2025-31493May 13, 2025
affected < 3.9.8.3fixed 3.9.8.3
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends
CVE-2025-30207May 13, 2025
affected < 3.9.8.3fixed 3.9.8.3
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as
CVE-2024-41964Aug 29, 2024
affected < 3.6.6.6fixed 3.6.6.6
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enfor
CVE-2024-27087Feb 26, 2024
affected >= 4.0.0, < 4.1.1fixed 4.1.1
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined li
CVE-2024-26483Feb 22, 2024
affected < 3.6.6.5fixed 3.6.6.5
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
CVE-2024-26482Feb 22, 2024
affected <= 4.1.0
An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's
CVE-2024-26481Feb 22, 2024
affected < 3.6.6.5fixed 3.6.6.5
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
CVE-2023-38492Jul 27, 2023
affected < 3.5.8.3fixed 3.5.8.3
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, h
CVE-2023-38491Jul 27, 2023
affected < 3.5.8.3fixed 3.5.8.3
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary fi

Page 1 of 2