GHSA-6GQR-MX34-WH8R Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users pages.create, files.create or users.create permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or v...

CVE-2026-41325

Kirby exposes an authorization bypass vulnerability during creation of pages, files and users via dynamic blueprint injection. Prior to versions 4.9.0 and 5.4.0, an attacker could inject custom blueprint options (e.g., 'create' => true) into the model data, overriding permissions defined in us...

CVE-2026-41325 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

GHSA-W942-J9R6-HR6R Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter

TL;DR This vulnerability affects all Kirby sites where users have the permission to create pages pages.create permission is enabled but not the permission to change the status of pages pages.changeStatus permission is disabled. This can be due to configuration in the user blueprints, via options ...

CVE-2023-54239

CVE-2023-54239 concerns the Linux kernel iommufd component. Public docs describe a fixed issue where a user virtual address (uptr) could overflow when mapping pages, triggering WARN_ONs (notably from pin_user_pages) due to invalid arguments. The fix prevents creating a pages object with an uptr a...

CVE-2025-41033

An SQL injection vulnerability has been found in appRain CMF 4.0.5. This vulnerability allows an attacker to retrieve, create, update, and delete the database, through the 'data%5BPage%5D%5Bname%5D' parameter in /apprain/page/manage-dynamic-pages/create...

CVE-2018-11580

An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site a...

CVE-2023-23760

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This...

CVE-2012-1414

Cross-site request forgery CSRF vulnerability in manager/news.php in Plume CMS 1.2.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that create News pages via a publish action...