getkirby

Top products

The 15 most recently published vulnerabilities affecting getkirby.

• CVE-2026-42174Kirby: User avatar creation, replacement and deletion are not gated by user update permissions4.3May 9, 2026
• CVE-2026-42137Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog6.5May 9, 2026
• CVE-2026-42051Kirby: System API endpoint leaks license data and installed version to authenticated users4.3May 9, 2026
• CVE-2026-42069Kirby: Read access to site, user and role information is not gated by permissions6.5May 9, 2026
• CVE-2026-41325Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection8.8Apr 24, 2026
• CVE-2026-40099Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter6.5Apr 24, 2026
• CVE-2026-34587Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering8.1Apr 24, 2026
• CVE-2026-32870Kirby has XML injection in its XML creator toolkit7.5Apr 24, 2026
• CVE-2026-29905Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate...6.5Mar 26, 2026
• CVE-2026-21896Kirby is missing permission checks in the content changes API5.7Jan 8, 2026
• CVE-2025-65012Kirby CMS has cross-site scripting (XSS) in the changes dialog5.4Nov 18, 2025
• CVE-2025-31493Path traversal of collection names during file system lookup9.1May 13, 2025
• CVE-2025-30207Kirby vulnerable to path traversal in the router for PHP's built-in server7.5May 13, 2025
• CVE-2025-30159Kirby vulnerable to path traversal of snippet names in the `snippet()` helper9.1May 13, 2025
• CVE-2024-41964Insufficient permission checks in the language settings in Kirby CMS8.1Aug 29, 2024