Getkirby Cms vulnerabilities
48 known vulnerabilities affecting getkirby/cms.
Total CVEs
48
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH17MEDIUM29LOW1
Vulnerabilities
Page 2 of 3
CVE-2023-38491P4MEDIUM≥ 0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+3 more2023-07-28
CVE-2023-38491 [MEDIUM] CWE-79 Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder.
Your Kirby sites are *not* affected if they don't allow file uploads for untrusted users or visitors o
ghsaosv
CVE-2024-26482P4HIGH≥ 0, ≤ 4.1.02024-02-22
CVE-2024-26482 [HIGH] CWE-80 Withdrawn Advisory: Kirby CMS HTML injection vulnerability
Withdrawn Advisory: Kirby CMS HTML injection vulnerability
## Withdrawn Advisory
This advisory has been withdrawn because the vendor reports that some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.
## Original Advisory
An HTML injection vulnerability in the Edit Content Layout module
ghsa
CVE-2024-27087P4MEDIUM≥ 4.0.0, < 4.1.12024-02-26
CVE-2024-27087 [MEDIUM] CWE-79 Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type
Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type
### TL;DR
This vulnerability affects Kirby sites that use the new [link field](https://getkirby.com/docs/reference/panel/fields/link) and output the entered link without additional validation or sanitization.
The attack commonly requires user interaction by another user or visitor.
The link dialog of the w
ghsaosv
CVE-2022-36037P4MEDIUM≥ 0, < 3.5.8.12022-08-29
CVE-2022-36037 [MEDIUM] CWE-79 Cross-site scripting from dynamic options in the multiselect field
Cross-site scripting from dynamic options in the multiselect field
### Introduction
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.
Such vulnerabilities are critical if you m
ghsaosv
CVE-2022-39315P4MEDIUM≥ 0, < 3.5.8.2≥ 3.6.0, < 3.6.6.2+2 more2022-10-18
CVE-2022-39315 [MEDIUM] CWE-204 Kirby CMS vulnerable to user enumeration in the brute force protection
Kirby CMS vulnerable to user enumeration in the brute force protection
### TL;DR
This vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.
----
### Introduction
User enumeration is a type of vulnerability that allows attackers to con
ghsaosv
CVE-2021-41252P4MEDIUM≥ 3.5.0, < 3.5.82021-11-16
CVE-2021-41252 [MEDIUM] CWE-79 Cross-site scripting (XSS) from writer field content in the site frontend
Cross-site scripting (XSS) from writer field content in the site frontend
### Impact
Kirby's [writer field](https://getkirby.com/docs/reference/panel/fields/writer) stores its formatted content as HTML code. Unlike with other field types, it is not possible to [escape HTML special characters](https://getkirby.com/docs/guide/templates/escaping) against cross-site scripting (XSS) attacks, oth
ghsaosv
CVE-2025-65012P4MEDIUM≥ 5.0.0, < 5.1.42025-11-18
CVE-2025-65012 [MEDIUM] CWE-79 Kirby CMS has cross-site scripting (XSS) in the changes dialog
Kirby CMS has cross-site scripting (XSS) in the changes dialog
### TL;DR
This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames.
The attack requires user interaction by another Panel user and *cannot* be automated.
----
### Introduction
Cross-site scripting (XSS) i
ghsaosv
CVE-2021-41258P4MEDIUM≥ 3.5.0, < 3.5.82021-11-16
CVE-2021-41258 [MEDIUM] CWE-79 Cross-site scripting (XSS) from image block content in the site frontend
Cross-site scripting (XSS) from image block content in the site frontend
### Impact
Kirby's [blocks field](https://getkirby.com/docs/reference/panel/fields/blocks) stores structured data for each block. This data is then used in [block snippets](https://getkirby.com/docs/reference/panel/fields/blocks#block-snippets) to convert the blocks to HTML for use in your templates. We recommend to [es
ghsaosv
CVE-2018-14520P4MEDIUM≥ 0, ≤ 2.5.122022-08-25
CVE-2018-14520 [MEDIUM] CWE-79 Kirby CMS 2.5.12 Cross-site Scripting
Kirby CMS 2.5.12 Cross-site Scripting
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
ghsaosv
CVE-2021-32735P4HIGH≥ 0, < 3.5.72021-07-02
CVE-2021-32735 [HIGH] CWE-80 Cross-site scripting (XSS) from field and configuration text displayed in the Panel
Cross-site scripting (XSS) from field and configuration text displayed in the Panel
On Saturday, @hdodov reported that the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.
We used his report as an opportunity to find and fix XSS issues related to dynamic s
ghsaosv
CVE-2026-42051P4MEDIUM≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-05-04
CVE-2026-42051 [MEDIUM] CWE-862 Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
### TL;DR
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
----
### Introduction
Missing authorization allows authenticated users to perform actions they are not intended to have access to.
The eff
ghsa
CVE-2026-42174P4MEDIUM≥ 0, < 4.9.0≥ 5.0.0, < 5.4.02026-05-04
CVE-2026-42174 [MEDIUM] CWE-862 Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
### TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information (`user.update` or `users.update` permission is disabled). This can be due to configuration in the blueprint(s) of the acting users, via
ghsa
CVE-2024-26481P4MEDIUM≥ 0, < 3.6.6.5≥ 3.7.0, < 3.7.5.4+4 more2024-02-26
CVE-2024-26481 [MEDIUM] CWE-79 Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
### TL;DR
This vulnerability affects Kirby sites that use the [URL field](https://getkirby.com/docs/reference/panel/fields/url) in any blueprint.
A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *canno
ghsaosv
CVE-2018-14519P4MEDIUM≥ 0, ≤ 2.5.122022-08-25
CVE-2018-14519 [MEDIUM] CWE-352 Kirby CMS 2.5.12 Cross-site Request Forgery
Kirby CMS 2.5.12 Cross-site Request Forgery
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
ghsaosv
CVE-2022-39314P4MEDIUM≥ 3.5.0, < 3.5.8.2≥ 3.6.0, < 3.6.6.2+2 more2022-10-18
CVE-2022-39314 [MEDIUM] CWE-204 Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
### TL;DR
This vulnerability only affects you if you are using the `code` or `password-reset` auth method with the `auth.methods` option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.
----
### Introduction
User enumera
ghsaosv
CVE-2026-54003CRITICAL≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-54003 [CRITICAL] CWE-454 Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
### TL;DR
This vulnerability affects Kirby sites that have no configured user accounts and are running on publicly accessible servers behind a reverse proxy that sets the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` request header.
It was possible to install the P
ghsa
CVE-2026-54005HIGH≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-54005 [HIGH] CWE-862 Kirby: `pages.access` permission is not checked in the `site/find` REST API route
Kirby: `pages.access` permission is not checked in the `site/find` REST API route
### TL;DR
This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a combination of both settings.
It was pos
ghsa
CVE-2026-49276HIGH≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-49276 [HIGH] CWE-83 Kirby: Self cross-site scripting (self-XSS) in the writer field
Kirby: Self cross-site scripting (self-XSS) in the writer field
### TL;DR
This vulnerability affects Kirby sites that use the writer field in any blueprint.
It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.
A successful attack commonly requires knowledge of the content structure by the attacker as
ghsa
CVE-2026-54002HIGH≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-54002 [HIGH] CWE-79 Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
### TL;DR
This vulnerability affects Kirby sites and plugins that use the `writer` or `list` fields or that use `$dom->sanitize()`, `Sane::sanitize()`, `Sane\Html::sanitize()`, `Sane\Svg::sanitize()`, `Sane\Xml::sanitize()`, `Sane::sanitizeFile()` or `$file->sanitizeContents()` with
ghsa
CVE-2026-50188MEDIUM≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-50188 [MEDIUM] CWE-113 Kirby: Request header injection in `Http\Remote`
Kirby: Request header injection in `Http\Remote`
### TL;DR
This vulnerability affects Kirby sites and plugins that use the `Kirby\Http\Remote` class (including `Remote::request()`, `Remote::get()`, `Remote::post()`, and similar helpers) to send outgoing HTTP requests and that pass untrusted, user-controlled data into the `headers` option of such a request.
By including newline characters in the value of the heade
ghsa