27 matches found
PT-2026-43449
TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites and has a high real-world impact. ---- Introduction Arbitrary method call is a type of arbitrary code execution...
PT-2026-43452
TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. This vulnerability is of high severity for all Kirby sites. ---- Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the process for managing user avatars due to insufficient authorization checks. An attacker can gain unauthorized access to create, replace, or delete user avatars by leveraging file permissions without the...
PT-2026-34815
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description The Xml::value method in Kirby contains a flaw in how it handles blocks. While the method is designed to allow valid CDATA to pass through without being escaped a second...
GHSA-4J78-4XRM-CR2F Kirby is missing permission checks in the content changes API
TL;DR This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. If developers haven't configured any user...
EUVD-2018-8430
Malware in sbrugna...
EUVD-2018-8434
Malware in sbrugna...
EUVD-2023-2176
Malicious code in bioql PyPI...
EUVD-2022-6562
Malicious code in bioql PyPI...
EUVD-2023-2004
Malicious code in bioql PyPI...
CVE-2023-38490
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the Xml data handler e.g. Data::decode$string, 'xml' or the Xml::parse method in site or plugin code. The Kirby core does not use any of the...
CVE-2023-38491
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content...
CVE-2022-39315
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does...
CVE-2018-16623
Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown...
GHSA-FW82-87P8-V6HP Kirby vulnerable to path traversal of snippet names in the `snippet()` helper
TL;DR This vulnerability affects all Kirby sites that use the snippet helper or $kirby-snippet method with a dynamic snippet name such as a snippet name that depends on request or user data. Sites that only use fixed calls to the snippet helper/$kirby-snippet method i.e. calls with a simple strin...
Kirby vulnerable to path traversal of snippet names in the `snippet()` helper
TL;DR This vulnerability affects all Kirby sites that use the snippet helper or $kirby-snippet method with a dynamic snippet name such as a snippet name that depends on request or user data. Sites that only use fixed calls to the snippet helper/$kirby-snippet method i.e. calls with a simple strin...
GHSA-9P3P-W5JF-8XXG Kirby vulnerable to path traversal in the router for PHP's built-in server
TL;DR This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software such as Apache, nginx or Caddy are not affected. ---- Introduction For use with PHP's built-in web server, Kirby...
Kirby vulnerable to path traversal in the router for PHP's built-in server
TL;DR This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software such as Apache, nginx or Caddy are not affected. ---- Introduction For use with PHP's built-in web server, Kirby...
GHSA-X275-H9J4-7P4H Kirby vulnerable to path traversal of collection names during file system lookup
TL;DR This vulnerability affects all Kirby sites that use the collection helper or $kirby-collection method with a dynamic collection name such as a collection name that depends on request or user data. Sites that only use fixed calls to the collection helper/$kirby-collection method i.e. calls...
Kirby vulnerable to path traversal of collection names during file system lookup
TL;DR This vulnerability affects all Kirby sites that use the collection helper or $kirby-collection method with a dynamic collection name such as a collection name that depends on request or user data. Sites that only use fixed calls to the collection helper/$kirby-collection method i.e. calls...