SB2026052274 - Multiple vulnerabilities in Kirby
Published: May 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-45334)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the content-locking feature when returning Panel view payloads and lock-related error responses. A remote user can access lock information for users they are not permitted to access or list to disclose sensitive information.
Exploitation requires an authenticated Panel account and affects sites that restrict user visibility with the users.access or users.list permissions. Only users who currently have a model open for editing are exposed, and lock records remain active for a configurable period of 10 minutes by default.
2) Cross-site scripting (CVE-ID: CVE-2026-44175)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the site frontend.
The vulnerability exists due to improper neutralization of input during web page generation in the list field and list block content handling when processing updates sent to Kirby's API. A remote user can send crafted content containing malicious HTML code to execute arbitrary JavaScript code in the site frontend.
The attack requires an authenticated Panel user with permission to update a list field or list block, and the injected code is stored in content and executed when the frontend renders the affected content.
3) Cross-site scripting (CVE-ID: CVE-2026-45368)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in KirbyTags, image blocks, and the blocks HTML importer when rendering editor-supplied link targets in the site frontend. A remote user can inject a crafted link with a dangerous URI scheme into content to execute arbitrary JavaScript in the victim's browser.
User interaction is required because the victim must click the rendered malicious link, and the issue affects the site frontend rather than the Panel itself.
4) PHP file inclusion (CVE-ID: CVE-2026-44177)
CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to include arbitrary PHP files.
The vulnerability exists due to improper control of filename for include/require statement in PHP program in the Users collection user lookup when processing a request-provided user ID. A remote attacker can supply a specially crafted user ID to include arbitrary PHP files.
The issue is reachable via unauthenticated requests to the authentication API and also affects other code paths that use $users->find() with request-provided email addresses or user IDs.
5) Missing Authorization (CVE-ID: CVE-2026-44176)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the main CMS router path resolver when rendering page drafts from a requested URL path. A remote user can request the full path to an existing page draft to disclose sensitive information.
Exploitation requires authentication and knowledge of the full path to an existing page draft. Write actions are not affected.
6) Unsafe reflection (CVE-ID: CVE-2026-44174)
CWE-ID: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information or perform unauthorized actions.
The vulnerability exists due to use of externally-controlled input to select code in REST API search and collection query endpoints when processing collection queries. A remote user can supply crafted query parameters that reference arbitrary model methods to disclose sensitive information or perform unauthorized actions.
Exploitation requires access as an authenticated Panel user.
Remediation
Install update from vendor's website.
References
- https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc
- https://github.com/getkirby/kirby/security/advisories
- https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257
- https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44
- https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8
- https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9
- https://github.com/getkirby/kirby/security/advisories/GHSA-7xqv-6q9p-v8m8
- https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp