Kirby CMS: Six High-Severity CVEs Disclosed in 18-Hour Batch
Six high-severity vulnerabilities hit Kirby CMS on May 26–27, 2026, spanning XSS, path traversal, permission bypass, and arbitrary method call — all patched in versions 5.4.1 and 4.6.1.
The Kirby team disclosed six high-severity CVEs across an 18-hour window on May 26–27, 2026, covering cross-site scripting (XSS), path traversal, permission bypass, and arbitrary method call flaws. The batch affects Kirby 4.x and 5.x sites and has been addressed in releases 5.4.1 and 4.6.1. Users of the flat-file CMS should treat these as urgent updates, particularly given the pre-authentication nature of one of the bugs.
Pre-authentication path traversal (CVE-2026-44177) is the most severe of the batch. The flaw lives in Kirby's user lookup mechanism and is independent of authentication state — any visitor to a Kirby 5.3.0–5.4.0 site can exploit it. The vulnerability allows path traversal and PHP file inclusion, which in practice means an unauthenticated attacker could read arbitrary files or execute server-side code. Kirby's advisory explicitly calls this "high severity for all Kirby sites" regardless of setup conditions.
Two XSS bugs target the frontend via user-authored content. CVE-2026-45368 affects the (link: …) KirbyTag, the link: parameter of the (image: …) KirbyTag, and the built-in image block with a link or the HTML importer for blocks. Any site that allows these tags from semi-trusted users is at risk. CVE-2026-44175 is a separate XSS vector through the list field and list block, also requiring an authenticated Panel user with update permission. Both are rated high severity and could let an attacker inject arbitrary JavaScript into the site frontend.
Permission bypass bugs round out the disclosure. CVE-2026-44176 concerns the pages.access permission — Kirby was not checking this permission when rendering page drafts, meaning users who should have no access to certain pages could view their drafts. CVE-2026-45334 is an information disclosure via content locks: the locks leak user IDs and email addresses of users that the attacker's role should not be able to see, bypassing users.access and users.list restrictions.
Arbitrary method call via REST API (CVE-2026-44174) affects the search and collection query endpoints. An authenticated Panel user with sufficient permissions could trigger arbitrary method calls, a form of arbitrary code execution. Kirby rates this as high severity with "high real-world impact" because the attack surface is the authenticated Panel user base — a realistic threat in multi-tenant or editorial environments.
All six CVEs are fixed in Kirby 5.4.1 (for the 5.x line) and Kirby 4.6.1 (for the 4.x line). The vendor advisories are available at getkirby.com. Users running Kirby 5.3.0 through 5.4.0 should update immediately, especially given the unauthenticated path traversal in CVE-2026-44177. Sites on older 4.x branches should upgrade to 4.6.1.
For Kirby site operators, this batch underscores the importance of keeping up with the CMS's release cadence. The mix of pre-auth code execution, frontend XSS, and permission bypasses means that even sites with locked-down user roles may have exposure through the REST API or content-authoring workflows. The Kirby team's coordinated disclosure — all six advisories published within 18 hours — gives administrators a single window to assess and patch.