[MEDIUM] Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions

PKSA-p78d-845h-8y84 CVE-2026-42174 GHSA-39cp-6679-8xv2

Affected package: getkirby/cms

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub