getkirby/cms Security Advisories for 5.4.0 (13)
-
[HIGH] Kirby: `pages.access` permission is not checked in the `site/find` REST API route
PKSA-jpkc-34xj-4vfy CVE-2026-54005 GHSA-r3w8-2c5r-h9j9
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: Access to files of top-level drafts is not protected by permissions
PKSA-6sq2-11dh-hkdq CVE-2026-54004 GHSA-89cp-7p28-jffg
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[CRITICAL] Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
PKSA-h8zr-vfb5-1d5r CVE-2026-54003 GHSA-whxw-24jc-cwmv
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
PKSA-wps5-gfv8-mm6f CVE-2026-54002 GHSA-wr9h-4r83-f4v6
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: Request header injection in `Http\Remote`
PKSA-k11s-611y-v46q CVE-2026-50188 GHSA-4v4h-m2qq-ppgw
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby: Self cross-site scripting (self-XSS) in the writer field
PKSA-hnr2-vddk-p4gy CVE-2026-49276 GHSA-rhj6-r49h-5932
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[MEDIUM] Kirby: `pages.access` permission is not checked in the pages picker for parent pages
PKSA-4ys7-5twb-r3bn CVE-2026-49274 GHSA-23q2-54qv-rq5x
Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3
Reported by:
GitHub -
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
PKSA-d956-rcc1-9n2f CVE-2026-45368 GHSA-qvjf-922g-pj44
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
PKSA-q7k8-c5gf-pkgc CVE-2026-45334 GHSA-39vq-49qm-r2mc
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[HIGH] Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
PKSA-82wy-dsmt-xgpc CVE-2026-44177 GHSA-9hx7-c53c-v6x8
Affected version: >=5.3.0,<=5.4.0
Reported by:
GitHub -
[MEDIUM] Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
PKSA-ycvm-k4m4-tr9m CVE-2026-44176 GHSA-2xw4-v2wx-hqq9
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
PKSA-g7d2-4qf5-mg45 CVE-2026-44175 GHSA-5fhx-9q32-q257
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub -
[HIGH] Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
PKSA-hhnz-p4k9-sfyd CVE-2026-44174 GHSA-86rh-h242-j8xp
Affected version: >=5.0.0,<=5.4.0|<=4.9.0
Reported by:
GitHub