VYPR

Kirby

by Getkirby

Source repositories

CVEs (48)

  • CVE-2026-54003criJun 18, 2026
    risk 0.52cvss epss

    ### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel…

  • CVE-2026-41325HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…

  • CVE-2026-34587HigApr 24, 2026
    risk 0.46cvss 8.1epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint…

  • CVE-2026-49276higJun 18, 2026
    risk 0.45cvss epss

    ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly…

  • CVE-2026-42137MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-42069MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-32870HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,…

  • CVE-2026-54005higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…

  • CVE-2026-54002higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or…

  • CVE-2026-45368higMay 27, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be…

  • CVE-2026-44177higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to…

  • CVE-2026-44175higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This…

  • CVE-2026-44174higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…

  • CVE-2026-40099MedApr 24, 2026
    risk 0.35cvss 6.5epss 0.00

    Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…

  • CVE-2026-29905MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to…

  • CVE-2026-42174MedMay 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-42051MedMay 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-54004Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts…

  • CVE-2026-50188Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the…

  • CVE-2026-49274Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model…

Page 1 of 3