Getkirby Cms vulnerabilities
48 known vulnerabilities affecting getkirby/cms.
Total CVEs
48
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH17MEDIUM29LOW1
Vulnerabilities
Page 1 of 3
CVE-2023-38490P2MEDIUM≥ 0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+3 more2023-07-28
CVE-2023-38490 [MEDIUM] CWE-611 XML External Entity (XXE) vulnerability in the XML data handler
XML External Entity (XXE) vulnerability in the XML data handler
### TL;DR
This vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods.
If you use an affected method and cannot rule out XML input controlled by an attacker, we strongly reco
ghsaosv
CVE-2025-31493P2MEDIUM≥ 0, < 3.9.8.3≥ 3.10.0, < 3.10.1.2+1 more2025-05-13
CVE-2025-31493 [MEDIUM] CWE-22 Kirby vulnerable to path traversal of collection names during file system lookup
Kirby vulnerable to path traversal of collection names during file system lookup
### TL;DR
This vulnerability affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data).
Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` me
ghsaosv
CVE-2021-29460P3HIGHPoC≥ 0, < 3.5.42021-04-30
CVE-2021-29460 [HIGH] CWE-79 Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
### Impact
An editor with write access to the Kirby Panel can upload an SVG or XML file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for ex
ghsaosv
CVE-2026-41325P3HIGH≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-04-24
CVE-2026-41325 [HIGH] CWE-863 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
### TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users (`pages.create`, `files.create` or `users.create` permission is disabled). This can be due to configuration in the user blu
ghsa
CVE-2017-16807P4MEDIUMPoC≥ 0, < 2.3.3≥ 2.4, < 2.4.2+1 more2022-05-14
CVE-2017-16807 [MEDIUM] CWE-79 Kirby XSS Vulnerability
Kirby XSS Vulnerability
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
ghsaosv
CVE-2023-38488P3HIGH≥ 0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+3 more2023-07-28
CVE-2023-38488 [HIGH] CWE-140 Field injection in the KirbyData text storage handler
Field injection in the KirbyData text storage handler
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file (e.g. via a contact or comment form).
Your Kirby sites are *not* affected if they don't allow write access for untrusted users or visitors.
----
### Introduction
ghsaosv
CVE-2020-26255P3MEDIUM≥ 3.0.0, < 3.4.52020-12-08
CVE-2020-26255 [MEDIUM] CWE-434 Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
### Impact
An editor with full access to the Kirby Panel can upload a PHP `.phar` file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Ph
ghsaosv
CVE-2026-34587P3HIGH≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-04-23
CVE-2026-34587 [HIGH] CWE-1336 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
### TL;DR
This vulnerability affects all Kirby sites that use option fields (`checkboxes`, `color`, `multiselect`, `select`, `radio`, `tags` or `toggles`) with options from a query or API whose values may not be fully trusted. It also affects direct uses of the `Option
ghsa
CVE-2024-41964P3HIGH≥ 0, < 3.6.6.6≥ 3.7.0, < 3.7.5.5+4 more2024-08-29
CVE-2024-41964 [HIGH] CWE-863 Kirby has insufficient permission checks in the language settings
Kirby has insufficient permission checks in the language settings
### TL;DR
This vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users.
If you have disabled the `languages` and/or `api` option and don't call any methods in your code that cause a write access to languages (language creation, update or delet
ghsaosv
CVE-2024-26483P3MEDIUM≥ 0, < 3.6.6.5≥ 3.7.0, < 3.7.5.4+4 more2024-02-26
CVE-2024-26483 [MEDIUM] CWE-79 Kirby vulnerable to unrestricted file upload of user avatar images
Kirby vulnerable to unrestricted file upload of user avatar images
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
The attack requires user interaction by another user or visitor and *cannot* be automated.
----
### Introduction
Unrestricted upload of files with a dangerous type is a type of vulnerability that a
ghsaosv
CVE-2025-30207P3LOW≥ 0, < 3.9.8.3≥ 3.10.0, < 3.10.1.2+1 more2025-05-13
CVE-2025-30207 [LOW] CWE-22 Kirby vulnerable to path traversal in the router for PHP's built-in server
Kirby vulnerable to path traversal in the router for PHP's built-in server
### TL;DR
This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development.
Sites that use other server software (such as Apache, nginx or Caddy) are *not* affected.
----
### Introduction
For use with PHP's built-in web server, Kirby provides a
ghsaosv
CVE-2026-32870P3MEDIUM≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-04-23
CVE-2026-32870 [MEDIUM] CWE-91 Kirby has XML injection in its XML creator toolkit
Kirby has XML injection in its XML creator toolkit
### TL;DR
This vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::encode($string, 'xml')`) or the `Xml::create()`, `Xml::tag()` or `Xml::value()` method(s) in site or plugin code. The Kirby core does not use any of the affected methods.
If consumers use an affected method and cannot rule out input to these methods controlled by a
ghsa
CVE-2023-38492P3MEDIUM≥ 0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+3 more2023-07-28
CVE-2023-38492 [MEDIUM] CWE-770 Denial of service from unlimited password lengths
Denial of service from unlimited password lengths
### TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities.
----
### Introduction
Denial of service (DoS) is a type of
ghsaosv
CVE-2023-38489P3HIGH≥ 0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+3 more2023-07-28
CVE-2023-38489 [HIGH] CWE-613 Insufficient Session Expiration after a password change
Insufficient Session Expiration after a password change
### TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config).
It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affect
ghsaosv
CVE-2026-42137P3HIGH≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-04-30
CVE-2026-42137 [HIGH] CWE-862 Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
### TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to access or list pages or files (`pages.access`, `pages.list`, `files.access` or `files.list` permission is disabled
ghsa
CVE-2026-40099P3MEDIUM≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-04-23
CVE-2026-40099 [MEDIUM] CWE-863 Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
### TL;DR
This vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to con
ghsa
CVE-2026-42069P3HIGH≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-05-04
CVE-2026-42069 [HIGH] CWE-862 Kirby CMS's read access to site, user and role information is not gated by permissions
Kirby CMS's read access to site, user and role information is not gated by permissions
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
**This vulnerability is of high severity for affected sites.**
Sites using Kirby are *not* affected if they intend all users of the site to be able to list and
ghsa
CVE-2026-29905P4MEDIUM≥ 0, < 5.2.0-rc.12026-03-27
CVE-2026-29905 [MEDIUM] CWE-20 Kirby CMS has Persistent DoS via Malformed Image Upload
Kirby CMS has Persistent DoS via Malformed Image Upload
## Summary
Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload.
## Details
The vulnerability is caused by improper validation of the return value of PHP's `getimagesize()` function. When a malformed file is uploaded with a valid image extension
ghsaosv
CVE-2026-21896P4MEDIUM≥ 5.0.0, < 5.2.22026-01-08
CVE-2026-21896 [MEDIUM] CWE-863 Kirby is missing permission checks in the content changes API
Kirby is missing permission checks in the content changes API
### TL;DR
This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the `update` permission with the intent to prevent modifications to site content.
If developers haven't configured any user permissions that deviate from the default
ghsaosv
CVE-2020-26253P4MEDIUM≥ 3.0.0, < 3.3.62021-01-14
CVE-2020-26253 [MEDIUM] CWE-346 Kirby .dev domains and some reverse proxy setups were treated as local
Kirby .dev domains and some reverse proxy setups were treated as local
### Impact
#### About our registration block
In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your
ghsaosv
1 / 3Next →