[HIGH] Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API

PKSA-bpcj-ysn7-my14 CVE-2026-42137 GHSA-85x2-r8xv-ww8c

Affected package: getkirby/cms

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub