getkirby/cms Security Advisories for 3.6.3 (33)
-
[HIGH] Kirby: `pages.access` permission is not checked in the `site/find` REST API route
PKSA-jpkc-34xj-4vfy CVE-2026-54005 GHSA-r3w8-2c5r-h9j9
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: Access to files of top-level drafts is not protected by permissions
PKSA-6sq2-11dh-hkdq CVE-2026-54004 GHSA-89cp-7p28-jffg
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[CRITICAL] Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
PKSA-h8zr-vfb5-1d5r CVE-2026-54003 GHSA-whxw-24jc-cwmv
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
PKSA-wps5-gfv8-mm6f CVE-2026-54002 GHSA-wr9h-4r83-f4v6
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: Request header injection in `Http\Remote`
PKSA-k11s-611y-v46q CVE-2026-50188 GHSA-4v4h-m2qq-ppgw
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby: Self cross-site scripting (self-XSS) in the writer field
PKSA-hnr2-vddk-p4gy CVE-2026-49276 GHSA-rhj6-r49h-5932
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: `pages.access` permission is not checked in the pages picker for parent pages
PKSA-4ys7-5twb-r3bn CVE-2026-49274 GHSA-23q2-54qv-rq5x
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
PKSA-d956-rcc1-9n2f CVE-2026-45368 GHSA-qvjf-922g-pj44
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
PKSA-q7k8-c5gf-pkgc CVE-2026-45334 GHSA-39vq-49qm-r2mc
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
PKSA-ycvm-k4m4-tr9m CVE-2026-44176 GHSA-2xw4-v2wx-hqq9
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
PKSA-g7d2-4qf5-mg45 CVE-2026-44175 GHSA-5fhx-9q32-q257
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[HIGH] Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
PKSA-hhnz-p4k9-sfyd CVE-2026-44174 GHSA-86rh-h242-j8xp
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
PKSA-d1w9-s6x2-nh6p CVE-2026-42051 GHSA-x68m-c7jf-2572
Affected version: >=5.0.0,<=5.3.3|<=4.8.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
PKSA-p78d-845h-8y84 CVE-2026-42174 GHSA-39cp-6679-8xv2
Affected version: >=5.0.0,<=5.3.3|<=4.8.0
Reported by:
GitHub -
[HIGH] Kirby CMS's read access to site, user and role information is not gated by permissions
PKSA-wrgq-xy3s-q6nz CVE-2026-42069 GHSA-2h7v-4372-f6x2
Affected version: >=5.0.0,<=5.3.3|<=4.8.0
Reported by:
GitHub -
[HIGH] Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
PKSA-bpcj-ysn7-my14 CVE-2026-42137 GHSA-85x2-r8xv-ww8c
Affected version: >=5.0.0,<=5.3.3|<=4.8.0
Reported by:
GitHub -
[HIGH] Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
PKSA-m1sp-3j4c-yg88 CVE-2026-41325 GHSA-6gqr-mx34-wh8r
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
PKSA-pyk9-2q1t-drry CVE-2026-40099 GHSA-w942-j9r6-hr6r
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[HIGH] Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
PKSA-w67s-1md9-r7dk CVE-2026-34587 GHSA-jcjw-58rv-c452
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby has XML injection in its XML creator toolkit
PKSA-rr97-2byk-h46m CVE-2026-32870 GHSA-9wfj-c55w-j9qr
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[LOW] Kirby vulnerable to path traversal in the router for PHP's built-in server
PKSA-psph-xw59-snn6 CVE-2025-30207 GHSA-9p3p-w5jf-8xxg
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to path traversal of collection names during file system lookup
PKSA-2y53-wq8k-h8qy CVE-2025-31493 GHSA-x275-h9j4-7p4h
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[HIGH] Kirby has insufficient permission checks in the language settings
PKSA-qp36-pv2c-kj8n CVE-2024-41964 GHSA-jm9m-rqr3-wfmh
Affected version: >=4.0.0,<=4.3.0|>=3.10.0,<=3.10.1|>=3.9.0,<=3.9.8.1|>=3.8.0,<=3.8.4.3|>=3.7.0,<=3.7.5.4|<=3.6.6.5
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
PKSA-sz76-zpcd-hvzc CVE-2024-26481 GHSA-57f2-8p89-66x6
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to unrestricted file upload of user avatar images
PKSA-yxtp-sp4n-y3tf CVE-2024-26483 GHSA-xrvh-rvc4-5m43
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub -
[HIGH] Field injection in the KirbyData text storage handler
PKSA-zqxs-5pcg-2nkm CVE-2023-38488 GHSA-x5mr-p6v4-wp93
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[HIGH] Insufficient Session Expiration after a password change
PKSA-8t3n-wjby-x47v CVE-2023-38489 GHSA-5mvj-rvp8-rf45
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] XML External Entity (XXE) vulnerability in the XML data handler
PKSA-t9s4-yst7-6h1r CVE-2023-38490 GHSA-q386-w6fg-gmgp
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
PKSA-dkbm-bh96-zk72 CVE-2023-38491 GHSA-8fv7-wq38-f5c9
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Denial of service from unlimited password lengths
PKSA-3nsf-jngg-dvvg CVE-2023-38492 GHSA-3v6j-v3qc-cxff
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Kirby CMS vulnerable to user enumeration in the brute force protection
PKSA-5k7b-5skk-nstj CVE-2022-39315 GHSA-c27j-76xg-6x4f
Affected version: =3.8.0|>=3.7.0,<3.7.5.1|>=3.6.0,<3.6.6.2|<3.5.8.2
Reported by:
GitHub -
[MEDIUM] Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
PKSA-7256-97xt-6n1p CVE-2022-39314 GHSA-43qq-qw4x-28f8
Affected version: =3.8.0|>=3.7.0,<3.7.5.1|>=3.6.0,<3.6.6.2|>=3.5.0,<3.5.8.2
Reported by:
GitHub -
[HIGH] Cross-site scripting from content entered in the tags and multiselect fields
PKSA-qg92-8hvw-mrcv GHSA-rv3r-vqjj-8c76
Affected version: >=3.7.0,<3.7.4|>=3.6.0,<3.6.6.1|>=3.5.7,<3.5.8.1
Reported by:
GitHub