Getkirby
Products
4- 48 CVEs
- 4 CVEs
- 3 CVEs
- 0 CVEs
Recent CVEs
53| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54003 | cri | 0.52 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel… | ||
| CVE-2026-41325 | Hig | 0.50 | 8.8 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also… | ||
| CVE-2026-34587 | Hig | 0.46 | 8.1 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint… | ||
| CVE-2026-49276 | hig | 0.45 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly… | ||
| CVE-2026-42137 | Med | 0.42 | 6.5 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-42069 | Med | 0.42 | 6.5 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-32870 | Hig | 0.42 | 7.5 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,… | ||
| CVE-2026-54005 | hig | 0.38 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of… | ||
| CVE-2026-54002 | hig | 0.38 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or… | ||
| CVE-2026-45368 | hig | 0.38 | — | 0.00 | May 27, 2026 | ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be… | ||
| CVE-2026-44177 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to… | ||
| CVE-2026-44175 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This… | ||
| CVE-2026-44174 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is… | ||
| CVE-2017-16807 | Med | 0.38 | 5.4 | 0.02 | Nov 13, 2017 | A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. | ||
| CVE-2026-40099 | Med | 0.35 | 6.5 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also… | ||
| CVE-2026-29905 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to… | ||
| CVE-2026-42174 | Med | 0.28 | 4.3 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-42051 | Med | 0.28 | 4.3 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-54004 | 0.00 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts… | |||
| CVE-2026-50188 | 0.00 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the… |
- risk 0.52cvss —epss —
### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel…
- risk 0.50cvss 8.8epss 0.00
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…
- risk 0.46cvss 8.1epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint…
- risk 0.45cvss —epss —
### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly…
- risk 0.42cvss 6.5epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.42cvss 6.5epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.42cvss 7.5epss 0.00
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,…
- risk 0.38cvss —epss —
### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…
- risk 0.38cvss —epss —
### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…
- risk 0.38cvss 5.4epss 0.02
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
- risk 0.35cvss 6.5epss 0.00
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…
- risk 0.35cvss 6.5epss 0.00
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to…
- risk 0.28cvss 4.3epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.28cvss 4.3epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
- CVE-2026-54004Jun 18, 2026risk 0.00cvss —epss —
### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts…
- CVE-2026-50188Jun 18, 2026risk 0.00cvss —epss —
### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the…