getkirby/cms
Packagist47 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting getkirby/cmspage 1 of 1
- CVE-2017-16807MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.5.72017-11-13
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
- CVE-2018-14519MEDIUMCVSS 4.3EG 4.32022-08-24
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
- CVE-2018-14520MEDIUMCVSS 5.4EG 5.42022-08-24
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
- CVE-2020-26253MEDIUMCVSS 6.8EG 6.8✓ Fixed in 3.3.62020-12-08
vulnerable: 3.0.0 ... 3.3.5-rc.1 (49 versions)
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on …
- CVE-2020-26255MEDIUMCVSS 6.8EG 6.8✓ Fixed in 3.4.52020-12-08
vulnerable: 3.0.0 ... 3.4.4-rc.1 (61 versions)
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critica…
- CVE-2021-29460HIGHCVSS 7.6EG 7.6✓ Fixed in 3.5.42021-04-27
vulnerable: 3.0.0 ... 3.5.3.1 (76 versions)
Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful content like `<script>` tags. The direct link to that file can be sent to other users or visitors of the site. If the …
- CVE-2021-32735HIGHCVSS 7.1EG 7.1✓ Fixed in 3.5.72021-07-02
vulnerable: 3.0.0 ... 3.5.7-rc.1 (82 versions)
Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scrip…
- CVE-2021-41252HIGHCVSS 7.3EG 7.3✓ Fixed in 3.5.82021-11-16
vulnerable: 3.5.0 ... 3.5.7.1 (15 versions)
Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) a…
- CVE-2021-41258HIGHCVSS 7.3EG 7.3✓ Fixed in 3.5.82021-11-16
vulnerable: 3.5.0 ... 3.5.7.1 (15 versions)
Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to…
- CVE-2022-36037MEDIUMCVSS 5.9EG 5.9✓ Fixed in 3.5.8.12022-08-29
vulnerable: 3.0.0 ... 3.5.8 (85 versions)
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code insi…
- CVE-2022-39314LOWCVSS 3.7EG 3.7✓ Fixed in 3.8.12022-10-24
vulnerable: 3.8.0, 3.8.1-rc.1
Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are usin…
- CVE-2022-39315MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.8.12022-10-25
vulnerable: 3.8.0, 3.8.1-rc.1
Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only …
- CVE-2023-38488HIGHCVSS 7.1EG 7.1✓ Fixed in 3.9.62023-07-27
vulnerable: 3.9.0 ... 3.9.6-rc.1 (12 versions)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow ex…
- CVE-2023-38489HIGHCVSS 7.3EG 7.3✓ Fixed in 3.9.62023-07-27
vulnerable: 3.9.0 ... 3.9.6-rc.1 (12 versions)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be a…
- CVE-2023-38490MEDIUMCVSS 6.8EG 6.8✓ Fixed in 3.9.62023-07-27
vulnerable: 3.9.0 ... 3.9.6-rc.1 (12 versions)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` m…
- CVE-2023-38491MEDIUMCVSS 5.7EG 5.7✓ Fixed in 3.9.62023-07-27
vulnerable: 3.9.0 ... 3.9.6-rc.1 (12 versions)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow ex…
- CVE-2023-38492MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.9.62023-07-27
vulnerable: 3.9.0 ... 3.9.6-rc.1 (12 versions)
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world i…
- CVE-2024-26481MEDIUMCVSS 4.7EG 4.7✓ Fixed in 4.1.12024-02-22
vulnerable: 4.0.0 ... 4.1.0-rc.3 (8 versions)
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter.
- CVE-2024-26483HIGHCVSS 8.8EG 8.8✓ Fixed in 4.1.12024-02-22
vulnerable: 4.0.0 ... 4.1.0-rc.3 (8 versions)
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.
- CVE-2024-27087MEDIUMCVSS 4.6EG 4.6✓ Fixed in 4.1.12024-02-26
vulnerable: 4.0.0 ... 4.1.0-rc.3 (8 versions)
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases…
- CVE-2024-41964HIGHCVSS 8.1EG 8.1✓ Fixed in 4.3.12024-08-29
vulnerable: 4.0.0 ... 4.3.0-rc.1 (14 versions)
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed an…
- CVE-2025-30207HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.12025-05-13
vulnerable: 4.0.0 ... 4.7.0-rc.1 (25 versions)
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Site…
- CVE-2025-31493CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.7.12025-05-13
vulnerable: 4.0.0 ... 4.7.0-rc.1 (25 versions)
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name…
- CVE-2025-65012MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.1.42025-11-18
vulnerable: 5.0.0 ... 5.1.3 (10 versions)
Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without…
- CVE-2026-21896MEDIUMCVSS 5.7EG 5.7✓ Fixed in 5.2.22026-01-08
vulnerable: 5.0.0 ... 5.2.1 (14 versions)
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent spe…
- CVE-2026-29905MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.2.0-rc.12026-03-26
vulnerable: 3.0.0 ... 5.1.4 (261 versions)
Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize(…
- CVE-2026-32870HIGHCVSS 7.5EG 7.5✓ Fixed in 5.4.02026-04-24
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. How…
- CVE-2026-34587HIGHCVSS 8.1EG 8.1✓ Fixed in 5.4.02026-04-24
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for e…
- CVE-2026-40099MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.4.02026-04-24
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`si…
- CVE-2026-41325HIGHCVSS 8.8EG 8.8✓ Fixed in 5.4.02026-04-24
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`si…
- CVE-2026-42051MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.4.02026-05-09
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
- CVE-2026-42069MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.4.02026-05-09
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- CVE-2026-42137MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.4.02026-05-09
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4…
- CVE-2026-42174MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.4.02026-05-09
vulnerable: 5.0.0 ... 5.3.3 (21 versions)
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
- CVE-2026-44174HIGHCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-26
vulnerable: 5.0.0 ... 5.4.0 (22 versions)
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnera…
- CVE-2026-44175HIGHCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-26
vulnerable: 5.0.0 ... 5.4.0 (22 versions)
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend ### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be …
- CVE-2026-44176MEDIUMCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-26
vulnerable: 5.0.0 ... 5.4.0 (22 versions)
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts ### TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (`pages.access` permission is d…
- CVE-2026-44177HIGHCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-26
vulnerable: 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup ### TL;DR This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication. **This vuln…
- CVE-2026-45334MEDIUMCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-27
vulnerable: 5.0.0 ... 5.4.0 (22 versions)
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions ### TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the `users.acce…
- CVE-2026-45368HIGHCVSS 0.0EG 0.0✓ Fixed in 5.4.12026-05-27
vulnerable: 5.0.0 ... 5.4.0 (22 versions)
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend ### TL;DR This vulnerability affects all Kirby sites that allow the use of the `(link: …)` KirbyTag, the `link:` parameter…
- CVE-2026-49274MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or …
- CVE-2026-49276HIGHCVSS 7.4EG 7.4✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, makin…
- CVE-2026-50188MEDIUMCVSS 6.9EG 6.9✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request(), Remote::get(), and Remote::post(), to send outgoing HTTP requests with unt…
- CVE-2026-54002HIGHCVSS 8.5EG 8.5✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sa…
- CVE-2026-54003CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP …
- CVE-2026-54004MEDIUMCVSS 6.3EG 6.3✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media …
- CVE-2026-54005HIGHCVSS 7.1EG 7.1✓ Fixed in 5.4.42026-06-18
vulnerable: 5.0.0 ... 5.4.3 (41 versions)
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites where a role has the pages.access permission disabled allowed authenticated users who know or guess page IDs or UUIDs to retrieve page information, in…
Check whether getkirby/cms is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for getkirby/cms CVEs against the assets you own.
Start Free Scan →