Kirby@* Security Vulnerabilities and Issues — Kirby@* CVE List

Lucene search

GetkirbyKirby*

21 matches found

CVE•added 2024/02/22 5:15 a.m.•4175 views

CVE-2024-26481

Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.

4.7CVSS7.1AI score0.00098EPSS

CVE•added 2024/02/22 5:15 a.m.•3502 views

CVE-2024-26483

An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.

8.8CVSS7.5AI score0.00157EPSS

CVE•added 2023/07/27 4:15 p.m.•2577 views

CVE-2023-38492

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still rec...

7.5CVSS6.5AI score0.00098EPSS

CVE•added 2023/07/27 4:15 p.m.•2511 views

CVE-2023-38491

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content f...

5.7CVSS5.4AI score0.00148EPSS

CVE•added 2023/07/27 3:15 p.m.•2488 views

CVE-2023-38489

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser th...

7.3CVSS7.2AI score0.00155EPSS

CVE•added 2022/08/29 6:15 p.m.•490 views

CVE-2022-36037

kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Pane...

5.9CVSS5.5AI score0.00627EPSS

CVE•added 2021/04/27 8:15 p.m.•115 views

CVE-2021-29460

Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like [removed] tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in ...

7.6CVSS5.7AI score0.0112EPSS

Web

CVE•added 2022/10/25 5:15 p.m.•104 views

CVE-2022-39315

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does no...

6.5CVSS5.5AI score0.00135EPSS

CVE•added 2024/02/26 5:15 p.m.•103 views

CVE-2024-27087

Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the ...

5.4CVSS5.1AI score0.00781EPSS

CVE•added 2022/10/24 2:15 p.m.•96 views

CVE-2022-39314

Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the code or password-reset auth method with the auth.metho...

4.8CVSS4.3AI score0.00116EPSS

CVE•added 2023/07/27 3:15 p.m.•76 views

CVE-2023-38488

8.8CVSS7.9AI score0.0007EPSS

CVE•added 2020/12/08 2:15 a.m.•70 views

CVE-2020-26253

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Pane...

6.8CVSS5.6AI score0.00161EPSS

CVE•added 2021/07/02 3:15 p.m.•60 views

CVE-2021-32735

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can es...

7.1CVSS5.4AI score0.00217EPSS

CVE•added 2023/07/27 3:15 p.m.•60 views

CVE-2023-38490

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the Xml data handler (e.g. Data::decode($string, 'xml')) or the Xml::parse() method in site or plugin code. The Kirby core does not use any of t...

10CVSS8AI score0.18066EPSS

CVE•added 2021/11/16 6:15 p.m.•52 views

CVE-2021-41258

Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-sit...

7.3CVSS5.3AI score0.00382EPSS

CVE•added 2020/12/08 3:15 p.m.•50 views

CVE-2020-26255

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of aut...

9.1CVSS8.2AI score0.01108EPSS

CVE•added 2024/08/29 5:15 p.m.•50 views

CVE-2024-41964

Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's fron...

8.1CVSS8AI score0.00238EPSS

CVE•added 2021/11/16 6:15 p.m.•49 views

CVE-2021-41252

Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user ...

7.3CVSS5.4AI score0.00328EPSS

CVE•added 2025/05/13 4:15 p.m.•38 views

CVE-2025-30207

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as Apache, nginx or C...

7.5CVSS6.5AI score0.00061EPSS

CVE•added 2025/05/13 3:15 p.m.•32 views

CVE-2025-30159

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the snippet() helper or $kirby->snippet() method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites ...

9.1CVSS7.1AI score0.00112EPSS

CVE•added 2025/05/13 4:15 p.m.•30 views

CVE-2025-31493

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the collection() helper or $kirby->collection() method with a dynamic collection name (such as a collection name that depends on request or user d...

9.1CVSS6.5AI score0.00084EPSS