cbcvebase.

Getkirby Kirby vulnerabilities

41 known vulnerabilities affecting getkirby/kirby.

Total CVEs
41
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH10MEDIUM26LOW1

Vulnerabilities

Page 1 of 3
CVE-2023-38490P2CRITICALCVSS 10.0≥ 3.5.0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+8 more2023-07-27
CVE-2023-38490 [CRITICAL] CWE-611 CVE-2023-38490: Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2 Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities
nvd
CVE-2025-30159P2CRITICALCVSS 9.1fixed in 3.9.8.3≥ 3.10.0, < 3.10.1.2+3 more2025-05-13
CVE-2025-30159 [CRITICAL] CWE-22 CVE-2025-30159: Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.1 Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helpe
ghsanvdosv
CVE-2025-31493P2CRITICALCVSS 9.1fixed in 3.9.8.3≥ 3.10.0, < 3.10.1.2+3 more2025-05-13
CVE-2025-31493 [CRITICAL] CWE-22 CVE-2025-31493: Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.1 Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `coll
nvd
CVE-2026-41325P3HIGHCVSS 8.8fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-04-24
CVE-2026-41325 [HIGH] CWE-863 CVE-2026-41325: Kirby is an open-source content management system. Kirby's user permissions control which user role Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blue
nvd
CVE-2021-29460P3MEDIUMCVSS 5.4PoCfixed in 3.5.42021-04-27
CVE-2021-29460 [MEDIUM] CWE-79 CVE-2021-29460: Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file t Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `` tags. The direct link to that file can be sent to other users or visitors of the site. If the victim opens that link in a browser where they are logged in to Kirby, the script will run and can for example trigger re
nvd
CVE-2023-38488P3HIGHCVSS 8.8≥ 3.5.0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+8 more2023-07-27
CVE-2023-38488 [HIGH] CWE-140 CVE-2023-38488: Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2 Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file (e.g. via a contact or comment form). Kirby sites are *not* affecte
nvd
CVE-2020-26255P3CRITICALCVSS 9.1fixed in 3.4.52020-12-08
CVE-2020-26255 [CRITICAL] CWE-434 CVE-2020-26255: Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5 Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to
nvd
CVE-2026-34587P3HIGHCVSS 8.1fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-04-24
CVE-2026-34587 [HIGH] CWE-1336 CVE-2026-34587: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user p Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions fo
nvd
CVE-2024-41964P3HIGHCVSS 8.1fixed in 3.6.6.6≥ 3.7.0, < 3.7.5.5+9 more2024-08-29
CVE-2024-41964 [HIGH] CWE-863 CVE-2024-41964: Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existi
nvd
CVE-2024-26483P3HIGHCVSS 8.8fixed in 3.6.6.5≥ 3.7.0, < 3.7.5.4+4 more2024-02-22
CVE-2024-26483 [HIGH] CWE-94 CVE-2024-26483: An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attack An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
nvd
CVE-2025-30207P3HIGHCVSS 7.5fixed in 3.9.8.3≥ 3.10.0, < 3.10.1.2+3 more2025-05-13
CVE-2025-30207 [HIGH] CWE-22 CVE-2025-30207: Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.1 Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as Apache, nginx or Caddy) are not affected. A missing path traversal check
nvd
CVE-2026-32870P3HIGHCVSS 7.5fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-04-24
CVE-2026-32870 [HIGH] CWE-91 CVE-2026-32870: Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handlin Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `C
nvd
CVE-2023-38492P3HIGHCVSS 7.5≥ 3.5.0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+8 more2023-07-27
CVE-2023-38492 [HIGH] CWE-770 CVE-2023-38492: Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2 Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because
nvd
CVE-2023-38489P3HIGHCVSS 7.3≥ 3.5.0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+8 more2023-07-27
CVE-2023-38489 [HIGH] CWE-613 CVE-2023-38489: Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2 Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an
nvd
CVE-2026-42137P3MEDIUMCVSS 6.5fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-05-09
CVE-2026-42137 [MEDIUM] CWE-862 CVE-2026-42137: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/ Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
nvd
CVE-2026-40099P3MEDIUMCVSS 6.5fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-04-24
CVE-2026-40099 [MEDIUM] CWE-863 CVE-2026-40099: Kirby is an open-source content management system. Kirby's user permissions control which user role Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model bl
nvd
CVE-2026-42069P3MEDIUMCVSS 6.5fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-05-09
CVE-2026-42069 [MEDIUM] CWE-862 CVE-2026-42069: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
nvd
CVE-2026-29905P4MEDIUMCVSS 6.5≤ 5.1.42026-03-26
CVE-2026-29905 [MEDIUM] CWE-20 CVE-2026-29905: Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fat
nvd
CVE-2026-21896P4MEDIUMCVSS 5.7≥ 5.0.0, < 5.2.2v>= 5.0.0, < 5.2.22026-01-08
CVE-2026-21896 [MEDIUM] CWE-863 CVE-2026-21896: Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing pe Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to
nvd
CVE-2020-26253P4MEDIUMCVSS 5.9fixed in 3.3.62020-12-08
CVE-2020-26253 [MEDIUM] CWE-346 CVE-2020-26253: Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5 Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by defaul
nvd
Getkirby Kirby vulnerabilities | cvebase