Security Advisories - getkirby/cms

getkirby/cms Security Advisories for 5.0.0-rc.6 (22)

[HIGH] Kirby: `pages.access` permission is not checked in the `site/find` REST API route

PKSA-jpkc-34xj-4vfy CVE-2026-54005 GHSA-r3w8-2c5r-h9j9

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[MEDIUM] Kirby: Access to files of top-level drafts is not protected by permissions

PKSA-6sq2-11dh-hkdq CVE-2026-54004 GHSA-89cp-7p28-jffg

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[CRITICAL] Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

PKSA-h8zr-vfb5-1d5r CVE-2026-54003 GHSA-whxw-24jc-cwmv

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[HIGH] Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

PKSA-wps5-gfv8-mm6f CVE-2026-54002 GHSA-wr9h-4r83-f4v6

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[MEDIUM] Kirby: Request header injection in `Http\Remote`

PKSA-k11s-611y-v46q CVE-2026-50188 GHSA-4v4h-m2qq-ppgw

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[HIGH] Kirby: Self cross-site scripting (self-XSS) in the writer field

PKSA-hnr2-vddk-p4gy CVE-2026-49276 GHSA-rhj6-r49h-5932

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[MEDIUM] Kirby: `pages.access` permission is not checked in the pages picker for parent pages

PKSA-4ys7-5twb-r3bn CVE-2026-49274 GHSA-23q2-54qv-rq5x

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

PKSA-d956-rcc1-9n2f CVE-2026-45368 GHSA-qvjf-922g-pj44

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub
[MEDIUM] Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

PKSA-q7k8-c5gf-pkgc CVE-2026-45334 GHSA-39vq-49qm-r2mc

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub
[MEDIUM] Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

PKSA-ycvm-k4m4-tr9m CVE-2026-44176 GHSA-2xw4-v2wx-hqq9

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub
[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend

PKSA-g7d2-4qf5-mg45 CVE-2026-44175 GHSA-5fhx-9q32-q257

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub
[HIGH] Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints

PKSA-hhnz-p4k9-sfyd CVE-2026-44174 GHSA-86rh-h242-j8xp

Affected version: >=5.0.0,<=5.4.0|<=4.9.0

Reported by:
GitHub
[MEDIUM] Kirby CMS's system API endpoint leaks installed version and license data to authenticated users

PKSA-d1w9-s6x2-nh6p CVE-2026-42051 GHSA-x68m-c7jf-2572

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub
[MEDIUM] Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions

PKSA-p78d-845h-8y84 CVE-2026-42174 GHSA-39cp-6679-8xv2

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub
[HIGH] Kirby CMS's read access to site, user and role information is not gated by permissions

PKSA-wrgq-xy3s-q6nz CVE-2026-42069 GHSA-2h7v-4372-f6x2

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub
[HIGH] Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API

PKSA-bpcj-ysn7-my14 CVE-2026-42137 GHSA-85x2-r8xv-ww8c

Affected version: >=5.0.0,<=5.3.3|<=4.8.0

Reported by:
GitHub
[HIGH] Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

PKSA-m1sp-3j4c-yg88 CVE-2026-41325 GHSA-6gqr-mx34-wh8r

Affected version: >=5.0.0,<5.4.0|<4.9.0

Reported by:
GitHub
[MEDIUM] Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter

PKSA-pyk9-2q1t-drry CVE-2026-40099 GHSA-w942-j9r6-hr6r

Affected version: >=5.0.0,<5.4.0|<4.9.0

Reported by:
GitHub
[HIGH] Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

PKSA-w67s-1md9-r7dk CVE-2026-34587 GHSA-jcjw-58rv-c452

Affected version: >=5.0.0,<5.4.0|<4.9.0

Reported by:
GitHub
[MEDIUM] Kirby has XML injection in its XML creator toolkit

PKSA-rr97-2byk-h46m CVE-2026-32870 GHSA-9wfj-c55w-j9qr

Affected version: >=5.0.0,<5.4.0|<4.9.0

Reported by:
GitHub
[MEDIUM] Kirby is missing permission checks in the content changes API

PKSA-yfpp-rndk-cm9x CVE-2026-21896 GHSA-4j78-4xrm-cr2f

Affected version: >=5.0.0,<=5.2.1

Reported by:
GitHub
[MEDIUM] Kirby CMS has cross-site scripting (XSS) in the changes dialog

PKSA-jms5-zv67-g12r CVE-2025-65012 GHSA-84hf-8gh5-575j

Affected version: >=5.0.0,<5.1.4

Reported by:
GitHub

getkirby/cms Security Advisories for 5.0.0-rc.6 (22)

[HIGH] Kirby: `pages.access` permission is not checked in the `site/find` REST API route

[MEDIUM] Kirby: Access to files of top-level drafts is not protected by permissions

[CRITICAL] Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

[HIGH] Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

[MEDIUM] Kirby: Request header injection in `Http\Remote`

[HIGH] Kirby: Self cross-site scripting (self-XSS) in the writer field

[MEDIUM] Kirby: `pages.access` permission is not checked in the pages picker for parent pages

[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

[MEDIUM] Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions

[MEDIUM] Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

[HIGH] Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend

[HIGH] Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints

[MEDIUM] Kirby CMS's system API endpoint leaks installed version and license data to authenticated users

[MEDIUM] Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions

[HIGH] Kirby CMS's read access to site, user and role information is not gated by permissions

[HIGH] Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API

[HIGH] Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

[MEDIUM] Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter

[HIGH] Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

[MEDIUM] Kirby has XML injection in its XML creator toolkit

[MEDIUM] Kirby is missing permission checks in the content changes API

[MEDIUM] Kirby CMS has cross-site scripting (XSS) in the changes dialog