SB20260423151 - Multiple vulnerabilities in Kirby
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify user avatars without authorization.
The vulnerability exists due to missing authorization in user avatar management when handling avatar creation, replacement, or deletion requests. A remote user can create, replace, or delete a user avatar to modify user avatars without authorization.
The issue affects sites where the acting user's role is not permitted to update user information, but file permissions still allow avatar-related actions.
2) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in the Panel and REST API when handling requests for page and file listings and related models. A remote user can send crafted requests to access non-listable pages or files and disclose sensitive information.
The issue affects sites where page or file access or list permissions are disabled for a role through user blueprints, model blueprints, or both. Write actions are not affected.
3) Incorrect authorization (CVE-ID: CVE-2026-41325)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass create permission checks and create pages, files, or users.
The vulnerability exists due to incorrect authorization in page, file, and user creation APIs when processing a crafted blueprint parameter in creation requests. A remote user can inject custom dynamic blueprint configuration to bypass create permission checks and create pages, files, or users.
The issue affects sites where the relevant create permission is disabled in user blueprints, model blueprints, or both.
4) Incorrect authorization (CVE-ID: CVE-2026-40099)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to create published pages without authorization.
The vulnerability exists due to incorrect authorization in the page creation API when handling page creation requests with an overridden isDraft parameter. A remote user can send a crafted API request to create published pages without authorization.
The issue affects sites where users are allowed to create pages but are not allowed to change page status.
5) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-34587)
CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information or modify site content.
The vulnerability exists due to improper neutralization of special elements used in a template engine in option rendering for dynamic option values and text strings when loading option fields or processing OptionsApi or OptionsQuery data. A remote user can place malicious query templates in query or API-backed option sources to disclose sensitive information or modify site content.
Exploitation requires use of option fields with dynamic options from a query or API, or direct use of the OptionsApi or OptionsQuery classes. Malicious templates are executed when the affected Panel view is loaded, and exploitation may occur through the attacker's own Panel access or through another authenticated user's interaction with the manipulated view.
6) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the /api/system REST API endpoint when handling authenticated requests. A remote user can send a request to the endpoint to disclose sensitive information.
The exposed information includes the installed Kirby version and the status, type and code of the installed license.
7) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in site, user, and role information access controls when handling authenticated Panel requests. A remote user can access site, user, and role information to disclose sensitive information.
Write actions are not affected.
8) XML injection (CVE-ID: CVE-2026-32870)
CWE-ID: CWE-91 - XML Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to manipulate the behavior of another system that processes generated XML data.
The vulnerability exists due to xml injection in the Xml::value() method when processing attacker-controlled input for XML generation. A remote attacker can supply crafted input containing a valid CDATA block and additional structured data to manipulate the behavior of another system that processes generated XML data.
Only sites that use the Xml data handler or the Xml::create(), Xml::tag(), or Xml::value() methods in site or plugin code are affected.
Remediation
Install update from vendor's website.
References
- https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2
- https://github.com/advisories/GHSA-39cp-6679-8xv2
- https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c
- https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r
- https://github.com/advisories/GHSA-6gqr-mx34-wh8r
- https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
- https://github.com/advisories/GHSA-w942-j9r6-hr6r
- https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452
- https://github.com/advisories/GHSA-jcjw-58rv-c452
- https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572
- https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2
- https://github.com/advisories/GHSA-2h7v-4372-f6x2
- https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr