CVE-2026-44177
published 2026-05-26CVE-2026-44177: Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup ### TL;DR This vulnerability affects all Kirby sites on Kirby…
high
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to access arbitrary filesystem paths. By using special elements such as `..` and `/` separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the `../` sequence, which in most modern operating systems is interpreted as the parent directory of the current location. Path traversal can give attackers information about the filesystem and directory structure on the server and can lead to additional attacks depending on the nature of the accessible files and directories. PHP file inclusion is a type of attack that allows to load and execute PHP files on the server that are not intended for direct inclusion. Depending on the logic inside the PHP files, this can lead to disclosure of sensitive information or unintended, malicious actions. ### Affected components Kirby's `Users` collection received a performance improvement in Kirby 5.3.0. Starting in this release, Kirby loads user objects lazily when they are first needed. Users are queried by their user ID, which is then used to look up the user's account directory in the `site/accounts` directory. This applies to the authentication API (accessible to unauthenticated requests), the users API (accessible to authenticated users only) as well as to other places that use `$users->find()` to look up an individual user with a request-provided email or user ID. ### Impact In affected releases, Kirby did not correctly validate the provided user ID, causing a path traversal vulnerability. This vulnerability results in the following impact: - Arbitrary
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 5.3.0 < 5.4.1 | 5.4.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-26
Published