getkirby/cms Security Advisories for 4.0.0-alpha.4 (6)
-
[LOW] Kirby vulnerable to path traversal in the router for PHP's built-in server
PKSA-psph-xw59-snn6 CVE-2025-30207 GHSA-9p3p-w5jf-8xxg
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to path traversal of collection names during file system lookup
PKSA-2y53-wq8k-h8qy CVE-2025-31493 GHSA-x275-h9j4-7p4h
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[HIGH] Kirby has insufficient permission checks in the language settings
PKSA-qp36-pv2c-kj8n CVE-2024-41964 GHSA-jm9m-rqr3-wfmh
Affected version: >=4.0.0,<=4.3.0|>=3.10.0,<=3.10.1|>=3.9.0,<=3.9.8.1|>=3.8.0,<=3.8.4.3|>=3.7.0,<=3.7.5.4|<=3.6.6.5
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type
PKSA-y4dk-fxrr-rv4m CVE-2024-27087 GHSA-63h4-w25c-3qv4
Affected version: >=4.0.0,<4.1.1
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
PKSA-sz76-zpcd-hvzc CVE-2024-26481 GHSA-57f2-8p89-66x6
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to unrestricted file upload of user avatar images
PKSA-yxtp-sp4n-y3tf CVE-2024-26483 GHSA-xrvh-rvc4-5m43
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub