getkirby/cms Security Advisories for 3.4.2 (15)
-
[LOW] Kirby vulnerable to path traversal in the router for PHP's built-in server
PKSA-psph-xw59-snn6 CVE-2025-30207 GHSA-9p3p-w5jf-8xxg
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to path traversal of collection names during file system lookup
PKSA-2y53-wq8k-h8qy CVE-2025-31493 GHSA-x275-h9j4-7p4h
Affected version: >=4.0.0,<4.7.1|>=3.10.0,<3.10.1.2|<3.9.8.3
Reported by:
GitHub -
[HIGH] Kirby has insufficient permission checks in the language settings
PKSA-qp36-pv2c-kj8n CVE-2024-41964 GHSA-jm9m-rqr3-wfmh
Affected version: >=4.0.0,<=4.3.0|>=3.10.0,<=3.10.1|>=3.9.0,<=3.9.8.1|>=3.8.0,<=3.8.4.3|>=3.7.0,<=3.7.5.4|<=3.6.6.5
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
PKSA-sz76-zpcd-hvzc CVE-2024-26481 GHSA-57f2-8p89-66x6
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub -
[MEDIUM] Kirby vulnerable to unrestricted file upload of user avatar images
PKSA-yxtp-sp4n-y3tf CVE-2024-26483 GHSA-xrvh-rvc4-5m43
Affected version: >=4.0.0,<=4.1.0|=3.10.0|>=3.9.0,<=3.9.8|>=3.8.0,<=3.8.4.2|>=3.7.0,<=3.7.5.3|<=3.6.6.4
Reported by:
GitHub -
[HIGH] Field injection in the KirbyData text storage handler
PKSA-zqxs-5pcg-2nkm CVE-2023-38488 GHSA-x5mr-p6v4-wp93
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[HIGH] Insufficient Session Expiration after a password change
PKSA-8t3n-wjby-x47v CVE-2023-38489 GHSA-5mvj-rvp8-rf45
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] XML External Entity (XXE) vulnerability in the XML data handler
PKSA-t9s4-yst7-6h1r CVE-2023-38490 GHSA-q386-w6fg-gmgp
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
PKSA-dkbm-bh96-zk72 CVE-2023-38491 GHSA-8fv7-wq38-f5c9
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Denial of service from unlimited password lengths
PKSA-3nsf-jngg-dvvg CVE-2023-38492 GHSA-3v6j-v3qc-cxff
Affected version: >=3.9.0,<3.9.6|>=3.8.0,<3.8.4.1|>=3.7.0,<3.7.5.2|>=3.6.0,<3.6.6.3|<3.5.8.3
Reported by:
GitHub -
[MEDIUM] Kirby CMS vulnerable to user enumeration in the brute force protection
PKSA-5k7b-5skk-nstj CVE-2022-39315 GHSA-c27j-76xg-6x4f
Affected version: =3.8.0|>=3.7.0,<3.7.5.1|>=3.6.0,<3.6.6.2|<3.5.8.2
Reported by:
GitHub -
[MEDIUM] Cross-site scripting from dynamic options in the multiselect field
PKSA-1bcx-mr8v-2v3m CVE-2022-36037 GHSA-3f89-869f-5w76
Affected version: <3.5.8.1
Reported by:
GitHub -
[HIGH] Cross-site scripting (XSS) from field and configuration text displayed in the Panel
PKSA-nqch-gpsw-gsgb CVE-2021-32735 GHSA-2f2w-349x-vrqm
Affected version: <=3.5.6
Reported by:
GitHub -
[HIGH] Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
PKSA-nwq2-w6t5-fvfs CVE-2021-29460 GHSA-qgp4-5qx6-548g
Affected version: <3.5.4
Reported by:
GitHub -
[MEDIUM] Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
PKSA-7jnm-d2v8-r697 CVE-2020-26255 GHSA-g3h8-cg9x-47qw
Affected version: >=3.0.0,<3.4.5
Reported by:
GitHub