CVE-2026-40099

Kirby’s page creation API vulnerability allowed authenticated users with pages.create permission but without pages.changeStatus to create published pages by overriding isDraft via REST API. This bypassed normal editorial workflow (new pages are drafts by default) until patches in Kirby 4.9.0 and ...

EUVD-2026-25369

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...