19 matches found
CVE-2026-54003
Summary of CVE-2026-54003 (Kirby CMS) : Affected Kirby installations with no configured user accounts, running behind a reverse proxy that sets Forwarded, X-Client-IP, or X-Real-IP headers could allow remote attackers to install the Panel and create the first admin user. This occurs on releases p...
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
TL;DR This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the Forwarded: for=..., X-Client-IP, or X-Real-IP request header. It was possible to install the Panel = create the first admin user i...
PT-2026-50724
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description An external initialization issue exists in the Kirby Panel and REST API. This occurs when a site has no configured user accounts and is hosted on a publicly accessible...
PT-2026-44153
TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets...
EUVD-2022-1926
Malicious code in bioql PyPI...
GHSA-275C-V3RC-XGHX Kirby XSS Vulnerability
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
Kirby XSS Vulnerability
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
CVE-2020-26255
Kirby is a CMS. In Kirby CMS getkirby/cms before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of...
GHSA-G3H8-CG9X-47QW Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
Impact An editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors...
Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
Impact An editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors...
Kirby Access Control Error Vulnerability
Kirby is a file-based content management system CMS. A security vulnerability exists in Kirby CMS versions prior to 3.3.6 and Kirby Panel versions prior to 2.5.14, which stems from the fact that the admin panel may be accessible if hosted in a .dev domain. To protect new installations on public...
Kirby Panel Cross-Site Scripting Vulnerability
Kirby is a file-based CMS Content Management System system. panel is one of the control panel components. A cross-site scripting vulnerability exists in Kirby Panel versions prior to 2.3.3, 2.4.x versions prior to 2.4.2 and 2.5.x versions prior to 2.5.7. A remote attacker can exploit this...
CVE-2017-16807
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
Cross site scripting
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
CVE-2017-16807
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
CVE-2017-16807
The CVE-2017-16807 entry describes a cross-site scripting (XSS) vulnerability in Kirby Panel when displaying a specially crafted SVG uploaded as a content file. Affected software includes Kirby Panel versions before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7. The root cause is improper han...
CVE-2017-16807
A cross-site Scripting XSS vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file...
Kirby CMS 2.5.7 - Cross-Site Scripting
Kirby CMS 2.5.7 - Cross-Site Scripting Exploit Title: KirbyCMS 2.5.7 Stored Cross Site Scripting Vendor Homepage: https://getkirby.com/ Software Link: https://getkirby.com/try Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince...
Kirby CMS < 2.5.7 - Cross-Site Scripting
Exploit Title: KirbyCMS 2.5.7 Stored Cross Site Scripting Vendor Homepage: https://getkirby.com/ Software Link: https://getkirby.com/try Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince Category: webapps Platform: PHP CVE:...