2 matches found
CVE-2026-40099 Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...
GHSA-W942-J9R6-HR6R Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
TL;DR This vulnerability affects all Kirby sites where users have the permission to create pages pages.create permission is enabled but not the permission to change the status of pages pages.changeStatus permission is disabled. This can be due to configuration in the user blueprints, via options ...