CVE-2023-38492

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still rec...

CVE-2023-38489

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser th...

CVE-2021-29460

Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like [removed] tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in ...

CVE-2021-32735

Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can es...

CVE-2021-41258

Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-sit...

CVE-2021-41252

Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user ...