Lucene search
K

48 matches found

CVE
CVE
added yesterday18 views

CVE-2026-54005

Kirby CMS has a vulnerability tracked as CVE-2026-54005 where the /api/site/find route does not check the pages.access permission. Prior to versions 4.9.4 and 5.4.4, authenticated users who know or guess page IDs or UUIDs could retrieve full page content and metadata for arbitrary published pages...

7.1CVSS6AI score
Exploits0References5
CVE
CVE
added yesterday35 views

CVE-2026-49274

CVE-2026-49274 affects Kirby CMS prior to versions 4.9.4 and 5.4.4. When the pages field is used and a role has pages.access disabled, authenticated users could supply an inaccessible parent page or site to the page picker backend, enabling confirmation of page existence and retrieval of title fi...

5.3CVSS5.9AI score
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

Kirby: `pages.access` permission is not checked in the `site/find` REST API route

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both settings. It was possible to...

7.1CVSS5.4AI score
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/06/18 3:5 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/site/find route. An attacker can access sensitive page information, including full content and metadata, by sending requests with known or guessed page IDs or UUIDs as an authenticated user. This is on...

7.1CVSS5.9AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/18 3:4 p.m.9 views

Kirby: `pages.access` permission is not checked in the pages picker for parent pages

TL;DR This vulnerability affects all Kirby sites that use the pages field and where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, options in the model blueprints, or a combination of both...

5.3CVSS5.5AI score
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/06/18 3:4 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the backend logic for the pages picker process. An attacker can confirm the existence of arbitrary pages and retrieve the value of the title field by providing the full path to an existing page as an...

5.3CVSS6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50726

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Missing authorization in the content management system allows authenticated users to retrieve information for arbitrary published pages. By knowing or guessing page IDs or...

7.1CVSS6AI score
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.9 views

CVE-2026-8238

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/messagepage' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...

6.3CVSS5.5AI score0.00201EPSS
Exploits0References1
OSV
OSV
added 2026/05/26 11:55 p.m.7 views

GHSA-2XW4-V2WX-HQQ9 Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

6CVSS5.7AI score0.00033EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/26 11:55 p.m.25 views

Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

5.7AI score0.00033EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/26 11:55 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the pages.access permission check during the rendering process of page drafts. An attacker can gain unauthorized access to sensitive page draft content by authenticating as a user without the required permission...

6CVSS5.8AI score0.00033EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.11 views

PT-2026-43451

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

6CVSS5.7AI score0.00033EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/18 7:58 p.m.12 views

CVE-2026-46362

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...

7.1CVSS5.9AI score0.00303EPSS
Exploits0References1
NVD
NVD
added 2026/05/15 7:17 p.m.21 views

CVE-2026-46362

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...

7.1CVSS0.00303EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/12 8:20 a.m.13 views

CVE-2026-42137

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS5.7AI score0.00303EPSS
Exploits0References1
NVD
NVD
added 2026/05/09 4:16 a.m.45 views

CVE-2026-42137

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS0.00303EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/09 3:38 a.m.6 views

CVE-2026-42137

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS5.7AI score0.00303EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/05/09 3:38 a.m.11 views

EUVD-2026-28889

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS5.7AI score0.00303EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/09 3:38 a.m.9 views

CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0...

7.1CVSS5.7AI score0.00303EPSS
Exploits0References3
CVE
CVE
added 2026/05/09 3:38 a.m.21 views

CVE-2026-42137

Kirby CVE-2026-42137 affects the open-source Kirby CMS. Prior to versions 4.9.0 and 5.4.0, the Panel and REST API did not consistently enforce pages.access/list and files.access/list permissions, enabling missing authorization in some collections and related models. The issue has been fixed in Ki...

7.1CVSS5.7AI score0.00303EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder