CVE-2026-42174
published 2026-05-09CVE-2026-42174: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.24%
14.6th percentile
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 4.9.0 | 4.9.0 |
| getkirby | cms | >= 5.0.0 < 5.4.0 | 5.4.0 |
| getkirby | kirby | < 4.9.0 | 4.9.0 |
| getkirby | kirby | — | — |
| getkirby | kirby | >= 5.0.0 < 5.4.0 | 5.4.0 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getkirby up to 4.8.x/5.3.x authorization (GHSA-39cp-6679-8xv2)
vuldb·2026-05-09·CVSS 5.3
CVE-2026-42174 [MEDIUM] getkirby up to 4.8.x/5.3.x authorization (GHSA-39cp-6679-8xv2)
A vulnerability identified as problematic has been detected in getkirby kirby up to 4.8.x/5.3.x. This impacts an unknown function. This manipulation causes missing authorization.
This vulnerability is handled as CVE-2026-42174. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
ghsa·2026-05-04
CVE-2026-42174 [MEDIUM] CWE-862 Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
### TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information (`user.update` or `users.update` permission is disabled). This can be due to configuration in the blueprint(s) of the acting users, via `options` in the blueprint(s) of the target users or via a combination of both settings.
Kirby sites are *not* affected if they intend all users of the site to be able to upload, replace or delete user avatars. The vulnerability can only be exploited by authenticated users.
----
### Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The effects of missi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-09
Published