Arbitrary file upload in Kirby - CVE-2020-26255
Published: December 2, 2020 / Updated: April 23, 2026
Vulnerability identifier: #VU127185
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-26255
CWE-ID: CWE-434
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to unrestricted upload of file with dangerous type in content file upload handling when uploading a PHP Phar archive as a content file through the Panel. A remote user can upload a crafted .phar file to execute arbitrary code on the server.
Only authenticated Panel users with full access to the Kirby Panel can exploit this issue, and visitors without Panel access cannot use this attack vector.
How to mitigate CVE-2020-26255
Install security update from vendor's website.