Relative Path Traversal in Kirby - CVE-2025-31493
Published: April 23, 2026
Vulnerability identifier: #VU127189
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-31493
CWE-ID: CWE-23
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote attacker to access arbitrary files and execute unintended PHP code.
The vulnerability exists due to path traversal in the collection() helper and $kirby->collection() method when processing a dynamic collection name during file system lookup. A remote attacker can supply a specially crafted collection name containing traversal sequences to access arbitrary files and execute unintended PHP code.
Only sites that use dynamic collection names derived from request or user data are vulnerable.
How to mitigate CVE-2025-31493
Install security update from vendor's website.