CVE-2026-42051
published 2026-05-09CVE-2026-42051: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.19%
9.2th percentile
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 4.9.0 | 4.9.0 |
| getkirby | cms | >= 5.0.0 < 5.4.0 | 5.4.0 |
| getkirby | kirby | < 4.9.0 | 4.9.0 |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 5.0.0 < 5.4.0 | 5.4.0 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getkirby up to 4.8.x/5.3.x API Endpoint authorization (GHSA-x68m-c7jf-2572)
vuldb·2026-05-09·CVSS 5.3
CVE-2026-42051 [MEDIUM] getkirby up to 4.8.x/5.3.x API Endpoint authorization (GHSA-x68m-c7jf-2572)
A vulnerability was found in getkirby kirby up to 4.8.x/5.3.x. It has been declared as problematic. The affected element is an unknown function of the component API Endpoint. Executing a manipulation can lead to missing authorization.
This vulnerability appears as CVE-2026-42051. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
ghsa·2026-05-04
CVE-2026-42051 [MEDIUM] CWE-862 Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
----
### Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.
### Impact
Kirby's user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). The permissions control the authorization of user actions (with h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-09
Published