Lucene search
K

46 matches found

Github Security Blog
Github Security Blog
added 2026/05/27 5:42 p.m.15 views

Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

TL;DR This vulnerability affects all Kirby sites that allow the use of the link: … KirbyTag, the link: parameter of the image: … KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an...

5.9AI score0.00062EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/27 5:23 p.m.22 views

Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets...

5.6AI score0.00033EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/27 5:23 p.m.7 views

GHSA-39VQ-49QM-R2MC Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets...

5.3CVSS5.6AI score0.00033EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.12 views

CVE-2026-42069

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS5.7AI score0.00231EPSS
Exploits0References1
NVD
NVD
added 2026/05/09 4:16 a.m.17 views

CVE-2026-42137

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS0.00303EPSS
Exploits0References3
CVE
CVE
added 2026/05/09 3:39 a.m.17 views

CVE-2026-42174

Kirby CMS (CVE-2026-42174) is vulnerable prior to updates 4.9.0 and 5.4.0: user avatars could be created, replaced, or deleted without proper user.update/users.update permission checks. The root cause is missing authorization gating for avatar actions, allowing users with only file permissions to...

5.3CVSS5.7AI score0.00237EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/05/09 3:35 a.m.46 views

CVE-2026-42069 Kirby: Read access to site, user and role information is not gated by permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS0.00231EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/09 12:0 a.m.8 views

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from insufficient checks for consistency in permissions for functions like Panel and REST API’s pages.access/list and...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/09 12:0 a.m.12 views

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from the system’s API endpoints leaking license data and installed versions to authenticated users...

5.3CVSS5.8AI score0.00193EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/24 2:51 a.m.4 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the Option::render and Options::factory code paths in the Option, Options, OptionsApi, and OptionsQuery classes. An attacker can inject template/query syntax into...

8.6CVSS5.4AI score0.00334EPSS
Exploits0References2
NVD
NVD
added 2026/04/24 1:16 a.m.5 views

CVE-2026-40099

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

6.5CVSS0.00275EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/24 12:38 a.m.30 views

CVE-2026-41325 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

7.1CVSS0.00363EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/24 12:38 a.m.5 views

EUVD-2026-25371

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

7.1CVSS5.6AI score0.00363EPSS
Exploits0References3
CVE
CVE
added 2026/04/24 12:34 a.m.18 views

CVE-2026-40099

Kirby’s page creation API vulnerability allowed authenticated users with pages.create permission but without pages.changeStatus to create published pages by overriding isDraft via REST API. This bypassed normal editorial workflow (new pages are drafts by default) until patches in Kirby 4.9.0 and ...

6.5CVSS5.6AI score0.00275EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/24 12:23 a.m.5 views

CVE-2026-34587

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...

7.6CVSS5.6AI score0.00334EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/04/24 12:19 a.m.10 views

EUVD-2026-25368

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

6.9CVSS5.1AI score0.00346EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.9 views

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions prior to Kirby 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from improper handling of CDATA blocks by the Xml::value method, which may allow structured data outside of valid CDATA blocks...

7.5CVSS5.8AI score0.00346EPSS
Exploits0References1
CVE
CVE
added 2026/03/26 12:0 a.m.23 views

CVE-2026-29905

Kirby CMS (version 5.1.4 and earlier) is affected. An authenticated user with Editor permissions can trigger a persistent DoS by uploading a malformed image; PHP getimagesize() may return false, leading to a fatal TypeError during metadata/thumbnail processing and HTTP 500s. Public details in con...

6.5CVSS5.8AI score0.00445EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/10 5:41 a.m.5 views

CVE-2026-21896

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...

5.8CVSS6.7AI score0.00189EPSS
Exploits0References1
CVE
CVE
added 2026/01/08 6:9 p.m.13 views

CVE-2026-21896

Kirby (CMS) versions 5.0.0–5.2.1 contain missing permission checks in the content changes API. This allows attackers with Panel access to manipulate the changes version or content fields, potentially creating editing locks, injecting content, or discarding edits across any model, when user permis...

5.8CVSS6.3AI score0.00189EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder