CVE-2026-50188
published 2026-06-18CVE-2026-50188: Kirby: Request header injection in `Http\Remote` ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including…
medium7
Kirby: Request header injection in `Http\Remote` ### TL;DR This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the `headers` option of such a request. By including newline characters in the value of the header, it was possible to inject a separate, independent header that was not intended to be set. A successful attack requires that an application or plugin forwards attacker-influenced input into a request header value. Sites that only send static, developer-defined headers are *not* affected. The attack does not target Panel users or site visitors directly; it targets the remote service that Kirby connects to. In Kirby's default configuration, the `Remote` class is not exposed to untrusted input, so a default installation is *not* affected. The vulnerability becomes relevant for custom code, plugins, or integrations that build request headers from user input. ---- ### Introduction HTTP header injection (also known as CRLF injection) is a type of vulnerability that allows an attacker to insert additional, attacker-controlled HTTP headers into a request or response. HTTP headers are separated by carriage-return and line-feed characters (`\r\n`). If untrusted data containing these characters is placed into a header value without sanitization, an attacker can terminate the intended header early and append headers of their own. For outgoing requests, this means an attacker who controls part of a header value can add or override headers that the application did not intend to send. Depending on the remote service, this can be used to override security-relevant headers (such as `Authorization`, `Host`, or `Cookie`), to smuggle requests, or to poison caches on the upstream system. Such vulnerabilities are relevant if untrusted input can reach the header values
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getkirby | cms | >= 0 < 4.9.4 | 4.9.4 |
| getkirby | cms | >= 5.0.0-alpha.1 < 5.4.4 | 5.4.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published