CVE-2026-41325

Kirby exposes an authorization bypass vulnerability during creation of pages, files and users via dynamic blueprint injection. Prior to versions 4.9.0 and 5.4.0, an attacker could inject custom blueprint options (e.g., 'create' => true) into the model data, overriding permissions defined in us...