3 matches found
CVE-2026-54004 Kirby: Access to files of top-level drafts is not protected by permissions
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview...
Kirby: Access to files of top-level drafts is not protected by permissions
TL;DR This vulnerability affects Kirby 5 sites that have the content.fileRedirects option enabled set to true or a custom closure as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts e.g. /about-us/team.jpg withou...
PT-2026-50725
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Kirby sites with the content.fileRedirects option enabled allow unauthenticated users to access clean file URLs for files stored in top-level draft pages. The system...