cbcvebase.

Getkirby Kirby vulnerabilities

41 known vulnerabilities affecting getkirby/kirby.

Total CVEs
41
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH10MEDIUM26LOW1

Vulnerabilities

Page 2 of 3
CVE-2024-26482P4HIGHCVSS 7.1v4.1.02024-02-22
CVE-2024-26482 [HIGH] CWE-80 CVE-2024-26482: An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.
nvd
CVE-2023-38491P4MEDIUMCVSS 5.4≥ 3.5.0, < 3.5.8.3≥ 3.6.0, < 3.6.6.3+8 more2023-07-27
CVE-2023-38491 [MEDIUM] CWE-79 CVE-2023-38491: Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2 Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't all
nvd
CVE-2024-27087P4MEDIUMCVSS 5.4≥ 4.0.0, < 4.1.1v>= 4.0.0, < 4.1.12024-02-26
CVE-2024-27087 [MEDIUM] CWE-79 CVE-2024-27087: Kirby is a content management system. The new link field introduced in Kirby 4 allows several differ Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also a
nvd
CVE-2018-16627P4MEDIUMCVSS 6.1v2.5.122018-12-20
CVE-2018-16627 [MEDIUM] CWE-74 CVE-2018-16627: panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature.
nvd
CVE-2022-36037P4MEDIUMCVSS 5.4fixed in 3.5.8.12022-08-29
CVE-2022-36037 [MEDIUM] CWE-79 CVE-2022-36037: kirby is a content management system (CMS) that adapts to many different projects and helps you buil kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests
nvd
CVE-2022-39315P4MEDIUMCVSS 5.3fixed in 3.5.8.2≥ 3.6.0, < 3.6.6.2+5 more2022-10-25
CVE-2022-39315 [MEDIUM] CWE-204 CVE-2022-39315: Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched
nvd
CVE-2021-41252P4MEDIUMCVSS 5.4≥ 3.5.0, ≤ 3.5.7.1v>= 3.5.0, < 3.5.82021-11-16
CVE-2021-41252 [MEDIUM] CWE-79 CVE-2021-41252: Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted con Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for e
nvd
CVE-2025-65012P4MEDIUMCVSS 5.4≥ 5.0.0, < 5.1.4v>= 5.0.0, < 5.1.42025-11-18
CVE-2025-65012 [MEDIUM] CWE-79 CVE-2025-65012: Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could cha Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the "Changes" dialog. If another authenticated user subseque
nvd
CVE-2021-41258P4MEDIUMCVSS 5.4≥ 3.5.0, ≤ 3.5.7.1v>= 3.5.0, < 3.5.82021-11-16
CVE-2021-41258 [MEDIUM] CWE-79 CVE-2021-41258: Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores struct Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-site scripting (XSS) attacks. The default snippet for th
nvd
CVE-2024-26484P4MEDIUMCVSS 6.1v4.1.02024-02-22
CVE-2024-26484 [MEDIUM] CWE-79 CVE-2024-26484: A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4. A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any version of Kirby CMS. The only effect was on the trykirby.com demo site,
nvd
CVE-2018-14520P4MEDIUMCVSS 5.4v2.5.122022-08-24
CVE-2018-14520 [MEDIUM] CWE-79 CVE-2018-14520: An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent i An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
nvd
CVE-2021-32735P4MEDIUMCVSS 5.4fixed in 3.5.7≤ 3.5.5, <= 3.5.62021-07-02
CVE-2021-32735 [MEDIUM] CWE-80 CVE-2021-32735: Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Pa
nvd
CVE-2018-16628P4MEDIUMCVSS 5.4v2.5.122018-12-04
CVE-2018-16628 [MEDIUM] CWE-79 CVE-2018-16628: panel/login in Kirby v2.5.12 allows XSS via a blog name. panel/login in Kirby v2.5.12 allows XSS via a blog name.
nvd
CVE-2026-42051P4MEDIUMCVSS 4.3fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-05-09
CVE-2026-42051 [MEDIUM] CWE-862 CVE-2026-42051: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
nvd
CVE-2018-16624P4MEDIUMCVSS 5.4v2.5.122019-05-13
CVE-2018-16624 [MEDIUM] CWE-79 CVE-2018-16624: panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page. panel/pages/home/edit in Kirby v2.5.12 allows XSS via the title of a new page.
nvd
CVE-2026-42174P4MEDIUMCVSS 4.3fixed in 4.9.0≥ 5.0.0, < 5.4.0+1 more2026-05-09
CVE-2026-42174 [MEDIUM] CWE-862 CVE-2026-42174: Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar cr Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
nvd
CVE-2018-16630P4MEDIUMCVSS 4.8v2.5.122018-12-28
CVE-2018-16630 [MEDIUM] CWE-79 CVE-2018-16630: Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file.
ghsanvdosv
CVE-2024-26481P4MEDIUMCVSS 4.7fixed in 3.6.6.5≥ 3.7.0, < 3.7.5.4+4 more2024-02-22
CVE-2024-26481 [MEDIUM] CWE-79 CVE-2024-26481: Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
nvd
CVE-2018-16623P4MEDIUMCVSS 4.8v2.5.122019-05-13
CVE-2018-16623 [MEDIUM] CWE-79 CVE-2018-16623: Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin p Kirby V2.5.12 is prone to a Persistent XSS attack via the Title of the "Site options" in the admin panel dashboard dropdown.
nvd
CVE-2018-14519P4MEDIUMCVSS 4.3v2.5.122022-08-24
CVE-2018-14519 [MEDIUM] CWE-352 CVE-2018-14519: An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A r An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
nvd
Getkirby Kirby vulnerabilities | cvebase