[MEDIUM] Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

PKSA-q7k8-c5gf-pkgc CVE-2026-45334 GHSA-39vq-49qm-r2mc

Affected package: getkirby/cms

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub