VYPR

Vendor CVEs

Getkirby

All CVEs

53 total · sorted by risk
  • CVE-2026-54003criJun 18, 2026
    risk 0.52cvss epss

    ### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel…

  • CVE-2026-41325HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…

  • CVE-2026-34587HigApr 24, 2026
    risk 0.46cvss 8.1epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint…

  • CVE-2026-49276higJun 18, 2026
    risk 0.45cvss epss

    ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly…

  • CVE-2026-42137MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-42069MedMay 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-32870HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,…

  • CVE-2026-54005higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…

  • CVE-2026-54002higJun 18, 2026
    risk 0.38cvss epss

    ### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or…

  • CVE-2026-45368higMay 27, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be…

  • CVE-2026-44177higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to…

  • CVE-2026-44175higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This…

  • CVE-2026-44174higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…

  • CVE-2017-16807MedNov 13, 2017
    risk 0.38cvss 5.4epss 0.02

    A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.

  • CVE-2026-40099MedApr 24, 2026
    risk 0.35cvss 6.5epss 0.00

    Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…

  • CVE-2026-29905MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to…

  • CVE-2026-42174MedMay 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-42051MedMay 9, 2026
    risk 0.28cvss 4.3epss 0.00

    Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.

  • CVE-2026-54004Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts…

  • CVE-2026-50188Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the…

  • CVE-2026-49274Jun 18, 2026
    risk 0.00cvss epss

    ### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model…

  • CVE-2026-45334May 27, 2026
    risk 0.00cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.access` or `users.list` permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because…

  • CVE-2026-44176May 26, 2026
    risk 0.00cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a…

  • CVE-2026-21896Jan 8, 2026
    risk 0.00cvss epss 0.00

    Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write…

  • CVE-2025-65012Nov 18, 2025
    risk 0.00cvss epss 0.00

    Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate…

  • CVE-2025-31493May 13, 2025
    risk 0.00cvss epss 0.00

    Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends…

  • CVE-2025-30207May 13, 2025
    risk 0.00cvss epss 0.00

    Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such…

  • CVE-2025-30159May 13, 2025
    risk 0.00cvss epss 0.01

    Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request…

  • CVE-2024-41964Aug 29, 2024
    risk 0.00cvss epss 0.00

    Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not…

  • CVE-2024-27087Feb 26, 2024
    risk 0.00cvss epss 0.00

    Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined…

  • CVE-2024-26484Feb 22, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any…

  • CVE-2023-38492Jul 27, 2023
    risk 0.00cvss epss 0.01

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited,…

  • CVE-2023-38491Jul 27, 2023
    risk 0.00cvss epss 0.01

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary…

  • CVE-2023-38490Jul 27, 2023
    risk 0.00cvss epss 0.02

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby…

  • CVE-2023-38489Jul 27, 2023
    risk 0.00cvss epss 0.01

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a…

  • CVE-2023-38488Jul 27, 2023
    risk 0.00cvss epss 0.01

    Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby…

  • CVE-2022-39315Oct 25, 2022
    risk 0.00cvss epss 0.01

    Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks…

  • CVE-2022-39314Oct 24, 2022
    risk 0.00cvss epss 0.00

    Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth…

  • CVE-2022-36037Aug 29, 2022
    risk 0.00cvss epss 0.01

    kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or…

  • CVE-2018-14519Aug 24, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.

  • CVE-2018-14520Aug 24, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.

  • CVE-2021-41258Nov 16, 2021
    risk 0.00cvss epss 0.01

    Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to…

  • CVE-2021-41252Nov 16, 2021
    risk 0.00cvss epss 0.01

    Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would…

  • CVE-2021-32735Jul 2, 2021
    risk 0.00cvss epss 0.01

    Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious…

  • CVE-2021-29460Apr 27, 2021
    risk 0.00cvss epss 0.03

    Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser…

  • CVE-2020-26255Dec 8, 2020
    risk 0.00cvss epss 0.01

    Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers…

  • CVE-2020-26253Dec 8, 2020
    risk 0.00cvss epss 0.01

    Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin…

  • CVE-2018-16623May 13, 2019
    risk 0.00cvss epss 0.01

    Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.

  • CVE-2018-16624May 13, 2019
    risk 0.00cvss epss 0.01

    panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page.

  • CVE-2018-16630Dec 28, 2018
    risk 0.00cvss epss 0.01

    Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file.

Page 1 of 2