Vendor CVEs
Getkirby
All CVEs
53 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54003 | cri | 0.52 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel… | ||
| CVE-2026-41325 | Hig | 0.50 | 8.8 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also… | ||
| CVE-2026-34587 | Hig | 0.46 | 8.1 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint… | ||
| CVE-2026-49276 | hig | 0.45 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly… | ||
| CVE-2026-42137 | Med | 0.42 | 6.5 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-42069 | Med | 0.42 | 6.5 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-32870 | Hig | 0.42 | 7.5 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,… | ||
| CVE-2026-54005 | hig | 0.38 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of… | ||
| CVE-2026-54002 | hig | 0.38 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or… | ||
| CVE-2026-45368 | hig | 0.38 | — | 0.00 | May 27, 2026 | ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be… | ||
| CVE-2026-44177 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to… | ||
| CVE-2026-44175 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This… | ||
| CVE-2026-44174 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is… | ||
| CVE-2017-16807 | Med | 0.38 | 5.4 | 0.02 | Nov 13, 2017 | A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file. | ||
| CVE-2026-40099 | Med | 0.35 | 6.5 | 0.00 | Apr 24, 2026 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also… | ||
| CVE-2026-29905 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to… | ||
| CVE-2026-42174 | Med | 0.28 | 4.3 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-42051 | Med | 0.28 | 4.3 | 0.00 | May 9, 2026 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | ||
| CVE-2026-54004 | 0.00 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts… | |||
| CVE-2026-50188 | 0.00 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the… | |||
| CVE-2026-49274 | 0.00 | — | — | Jun 18, 2026 | ### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model… | |||
| CVE-2026-45334 | 0.00 | — | 0.00 | May 27, 2026 | ### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.access` or `users.list` permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because… | |||
| CVE-2026-44176 | 0.00 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a… | |||
| CVE-2026-21896 | 0.00 | — | 0.00 | Jan 8, 2026 | Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write… | |||
| CVE-2025-65012 | 0.00 | — | 0.00 | Nov 18, 2025 | Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate… | |||
| CVE-2025-31493 | 0.00 | — | 0.00 | May 13, 2025 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends… | |||
| CVE-2025-30207 | 0.00 | — | 0.00 | May 13, 2025 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such… | |||
| CVE-2025-30159 | 0.00 | — | 0.01 | May 13, 2025 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request… | |||
| CVE-2024-41964 | 0.00 | — | 0.00 | Aug 29, 2024 | Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not… | |||
| CVE-2024-27087 | 0.00 | — | 0.00 | Feb 26, 2024 | Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined… | |||
| CVE-2024-26484 | 0.00 | — | 0.00 | Feb 22, 2024 | A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any… | |||
| CVE-2023-38492 | 0.00 | — | 0.01 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited,… | |||
| CVE-2023-38491 | 0.00 | — | 0.01 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary… | |||
| CVE-2023-38490 | 0.00 | — | 0.02 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby… | |||
| CVE-2023-38489 | 0.00 | — | 0.01 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a… | |||
| CVE-2023-38488 | 0.00 | — | 0.01 | Jul 27, 2023 | Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby… | |||
| CVE-2022-39315 | 0.00 | — | 0.01 | Oct 25, 2022 | Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks… | |||
| CVE-2022-39314 | 0.00 | — | 0.00 | Oct 24, 2022 | Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth… | |||
| CVE-2022-36037 | 0.00 | — | 0.01 | Aug 29, 2022 | kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or… | |||
| CVE-2018-14519 | 0.00 | — | 0.00 | Aug 24, 2022 | An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page. | |||
| CVE-2018-14520 | 0.00 | — | 0.01 | Aug 24, 2022 | An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages. | |||
| CVE-2021-41258 | 0.00 | — | 0.01 | Nov 16, 2021 | Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to… | |||
| CVE-2021-41252 | 0.00 | — | 0.01 | Nov 16, 2021 | Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would… | |||
| CVE-2021-32735 | 0.00 | — | 0.01 | Jul 2, 2021 | Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious… | |||
| CVE-2021-29460 | 0.00 | — | 0.03 | Apr 27, 2021 | Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser… | |||
| CVE-2020-26255 | 0.00 | — | 0.01 | Dec 8, 2020 | Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers… | |||
| CVE-2020-26253 | 0.00 | — | 0.01 | Dec 8, 2020 | Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin… | |||
| CVE-2018-16623 | 0.00 | — | 0.01 | May 13, 2019 | Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown. | |||
| CVE-2018-16624 | 0.00 | — | 0.01 | May 13, 2019 | panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. | |||
| CVE-2018-16630 | 0.00 | — | 0.01 | Dec 28, 2018 | Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. |
- risk 0.52cvss —epss —
### TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header. It was possible to install the Panel…
- risk 0.50cvss 8.8epss 0.00
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…
- risk 0.46cvss 8.1epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint…
- risk 0.45cvss —epss —
### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly…
- risk 0.42cvss 6.5epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.42cvss 6.5epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.42cvss 7.5epss 0.00
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0,…
- risk 0.38cvss —epss —
### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of…
- risk 0.38cvss —epss —
### TL;DR This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is authored by users who may not be…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…
- risk 0.38cvss 5.4epss 0.02
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
- risk 0.35cvss 6.5epss 0.00
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also…
- risk 0.35cvss 6.5epss 0.00
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to…
- risk 0.28cvss 4.3epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- risk 0.28cvss 4.3epss 0.00
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
- CVE-2026-54004Jun 18, 2026risk 0.00cvss —epss —
### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts…
- CVE-2026-50188Jun 18, 2026risk 0.00cvss —epss —
### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the…
- CVE-2026-49274Jun 18, 2026risk 0.00cvss —epss —
### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model…
- CVE-2026-45334May 27, 2026risk 0.00cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.access` or `users.list` permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because…
- CVE-2026-44176May 26, 2026risk 0.00cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a…
- CVE-2026-21896Jan 8, 2026risk 0.00cvss —epss 0.00
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write…
- CVE-2025-65012Nov 18, 2025risk 0.00cvss —epss 0.00
Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate…
- CVE-2025-31493May 13, 2025risk 0.00cvss —epss 0.00
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends…
- CVE-2025-30207May 13, 2025risk 0.00cvss —epss 0.00
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such…
- CVE-2025-30159May 13, 2025risk 0.00cvss —epss 0.01
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request…
- CVE-2024-41964Aug 29, 2024risk 0.00cvss —epss 0.00
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not…
- CVE-2024-27087Feb 26, 2024risk 0.00cvss —epss 0.00
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined…
- CVE-2024-26484Feb 22, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any…
- CVE-2023-38492Jul 27, 2023risk 0.00cvss —epss 0.01
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited,…
- CVE-2023-38491Jul 27, 2023risk 0.00cvss —epss 0.01
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary…
- CVE-2023-38490Jul 27, 2023risk 0.00cvss —epss 0.02
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby…
- CVE-2023-38489Jul 27, 2023risk 0.00cvss —epss 0.01
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a…
- CVE-2023-38488Jul 27, 2023risk 0.00cvss —epss 0.01
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby…
- CVE-2022-39315Oct 25, 2022risk 0.00cvss —epss 0.01
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks…
- CVE-2022-39314Oct 24, 2022risk 0.00cvss —epss 0.00
Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth…
- CVE-2022-36037Aug 29, 2022risk 0.00cvss —epss 0.01
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or…
- CVE-2018-14519Aug 24, 2022risk 0.00cvss —epss 0.00
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
- CVE-2018-14520Aug 24, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
- CVE-2021-41258Nov 16, 2021risk 0.00cvss —epss 0.01
Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to…
- CVE-2021-41252Nov 16, 2021risk 0.00cvss —epss 0.01
Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would…
- CVE-2021-32735Jul 2, 2021risk 0.00cvss —epss 0.01
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious…
- CVE-2021-29460Apr 27, 2021risk 0.00cvss —epss 0.03
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser…
- CVE-2020-26255Dec 8, 2020risk 0.00cvss —epss 0.01
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers…
- CVE-2020-26253Dec 8, 2020risk 0.00cvss —epss 0.01
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin…
- CVE-2018-16623May 13, 2019risk 0.00cvss —epss 0.01
Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.
- CVE-2018-16624May 13, 2019risk 0.00cvss —epss 0.01
panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page.
- CVE-2018-16630Dec 28, 2018risk 0.00cvss —epss 0.01
Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file.
Page 1 of 2