3 matches found
CVE-2026-49274
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page...
Kirby: `pages.access` permission is not checked in the pages picker for parent pages
TL;DR This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both...
PT-2026-50720
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Authenticated users can confirm the existence of arbitrary pages and retrieve their title field values. This occurs when sites use the pages field and user roles have the...