Lucene search
+L

599 matches found

NVD
NVD
added 3 days ago8 views

CVE-2026-44177

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user object...

8.8CVSS0.00454EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-45368

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS0.00334EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-44175

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting XSS. Kirby's list field stores its formatted content as HTML, and unlike other field types...

8.5CVSS0.00254EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-44174

Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password...

8.7CVSS0.0028EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-44176

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the pages.access permission during page draft rendering. Permissions are defined for each user role in the user blueprint site/blueprints/users/.... It is also possible to customize the permissions f...

6CVSS0.00215EPSS
Exploits0References2
CVE
CVE
added 3 days ago27 views

CVE-2026-45368

Kirby CMS is affected in versions prior to 4.9.1 and 5.4.1 by an XSS in URL handling for several first‑party renderers that emit : the (link: …) KirbyTag, the link parameter of (image: …), the image block's link field, and the HTML importer for blocks. The underlying issue does not filter dangero...

8.4CVSS6.1AI score0.00334EPSS
Exploits0References2
OSV
OSV
added 3 days ago6 views

CVE-2026-45368 Kirby: Cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS5.5AI score0.00334EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-45334 Kirby: Content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions. Kirby's Panel includes a content-locking feature that records which user currently has a model...

5.3CVSS0.00365EPSS
Exploits0References2
CVE
CVE
added 3 days ago17 views

CVE-2026-45334

Kirby CMS (versions < 4.9.1 and

5.3CVSS6AI score0.00365EPSS
Exploits0References2
OSV
OSV
added 3 days ago5 views

CVE-2026-45334 Kirby: Content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions. Kirby's Panel includes a content-locking feature that records which user currently has a model...

5.3CVSS5.1AI score0.00365EPSS
Exploits0References4
CVE
CVE
added 3 days ago26 views

CVE-2026-44175

Kirby has a stored XSS vulnerability in the list field prior to versions 4.9.1 and 5.4.1 due to server-side sanitization on save not being applied (HTML in list field not escaped without breaking formatting). The content is stored as HTML and could be sent via Kirby’s API bypassing the Panel, the...

8.5CVSS5.9AI score0.00254EPSS
Exploits0References2
OSV
OSV
added 3 days ago5 views

CVE-2026-44175 Kirby: Cross-site scripting (XSS) from list field content in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting XSS. Kirby's list field stores its formatted content as HTML, and unlike other field types...

8.5CVSS4.7AI score0.00254EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-44175 Kirby: Cross-site scripting (XSS) from list field content in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting XSS. Kirby's list field stores its formatted content as HTML, and unlike other field types...

8.5CVSS0.00254EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-44176 Kirby: `pages.access` permission is not checked during rendering of page drafts

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the pages.access permission during page draft rendering. Permissions are defined for each user role in the user blueprint site/blueprints/users/.... It is also possible to customize the permissions f...

6CVSS0.00215EPSS
Exploits0References2
CVE
CVE
added 3 days ago25 views

CVE-2026-44176

Kirby CMS vulnerability CVE-2026-44176 affects pre-4.9.1 and pre-5.4.1 releases where the path resolver could render page drafts without enforcing pages.access, potentially exposing sensitive draft content to authenticated users who know the full draft path. Root cause: page draft rendering bypas...

6CVSS6.1AI score0.00215EPSS
Exploits0References2
OSV
OSV
added 3 days ago5 views

CVE-2026-44176 Kirby: `pages.access` permission is not checked during rendering of page drafts

Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the pages.access permission during page draft rendering. Permissions are defined for each user role in the user blueprint site/blueprints/users/.... It is also possible to customize the permissions f...

6CVSS5.4AI score0.00215EPSS
Exploits0References4
CVE
CVE
added 3 days ago34 views

CVE-2026-44177

CVE-2026-44177 affects Kirby CMS (Kirby 5.3.0 up to

8.8CVSS6AI score0.00454EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago37 views

CVE-2026-44177 Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user object...

8.8CVSS0.00454EPSS
Exploits0References2
OSV
OSV
added 3 days ago8 views

CVE-2026-44177 Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user object...

8.8CVSS5.7AI score0.00454EPSS
Exploits0References4
CVE
CVE
added 3 days ago26 views

CVE-2026-44174

Kirby CMS (versions prior to 4.9.1 and 5.4.1) exposes REST API search and collection queries that did not validate model attributes, allowing authenticated users to invoke arbitrary model methods (e.g., password(), root(), loginPasswordless(), delete()) via collection endpoints. This can disclose...

8.7CVSS6.2AI score0.0028EPSS
Exploits0References3
Rows per page
Query Builder