cbcvebase.

Getkirby Cms vulnerabilities

48 known vulnerabilities affecting getkirby/cms.

Total CVEs
48
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH17MEDIUM29LOW1

Vulnerabilities

Page 3 of 3
CVE-2026-54004MEDIUM≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-54004 [MEDIUM] CWE-862 Kirby: Access to files of top-level drafts is not protected by permissions Kirby: Access to files of top-level drafts is not protected by permissions ### TL;DR This vulnerability affects Kirby 5 sites that have the `content.fileRedirects` option enabled (set to `true` or a custom closure) as well as all Kirby 4 sites that haven't explicitly disabled this option. It was possible to access clean file URLs of top-level drafts (e.g. `/about-us/team.jpg`) without pr
ghsa
CVE-2026-49274MEDIUM≥ 0, < 4.9.4≥ 5.0.0-alpha.1, < 5.4.42026-06-18
CVE-2026-49274 [MEDIUM] CWE-862 Kirby: `pages.access` permission is not checked in the pages picker for parent pages Kirby: `pages.access` permission is not checked in the pages picker for parent pages ### TL;DR This vulnerability affects all Kirby sites that use the `pages` field and where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), `options` in the model blueprint(s), or a co
ghsa
CVE-2026-45368HIGH≥ 0, < 4.9.1≥ 5.0.0, < 5.4.12026-05-27
CVE-2026-45368 [HIGH] CWE-79 Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter of the `(image: …)` KirbyTag, the built-in `image` block with a link or the HTML importer for blocks, when content is au
ghsa
CVE-2026-45334MEDIUM≥ 0, < 4.9.1≥ 5.0.0, < 5.4.12026-05-27
CVE-2026-45334 [MEDIUM] CWE-862 Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions ### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.access` or `users.list` permissions. A site is affected if users of a particular role are not allowed to see other users in
ghsa
CVE-2026-44177HIGH≥ 5.3.0, < 5.4.12026-05-26
CVE-2026-44177 [HIGH] CWE-22 Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vulnerability is of high severity for all Kirby sites**. ---- ### Introduction Path traversal is a type of attack that allows to access arbitra
ghsa
CVE-2026-44174HIGH≥ 0, < 4.9.1≥ 5.0.0, < 5.4.12026-05-26
CVE-2026-44174 [HIGH] CWE-470 Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is a type of
ghsa
CVE-2026-44175HIGH≥ 0, < 4.9.1≥ 5.0.0, < 5.4.12026-05-26
CVE-2026-44175 [HIGH] CWE-79 Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This vulnerabi
ghsa
CVE-2026-44176MEDIUM≥ 0, < 4.9.1≥ 5.0.0, < 5.4.12026-05-26
CVE-2026-44176 [MEDIUM] CWE-862 Kirby CMS's `pages.access` permission is not checked during rendering of page drafts Kirby CMS's `pages.access` permission is not checked during rendering of page drafts ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a combination of both settin
ghsa
Getkirby Cms vulnerabilities | cvebase