Relative Path Traversal in Kirby - CVE-2025-30207
Published: April 23, 2026
Vulnerability identifier: #VU127190
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-30207
CWE-ID: CWE-23
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote attacker to determine whether files or directories exist outside of the restricted location.
The vulnerability exists due to path traversal in router.php when handling crafted requests for static files using traversal sequences. A remote attacker can send a specially crafted request to determine whether files or directories exist outside of the restricted location.
Only setups that use PHP's built-in server are vulnerable. Sites using other server software such as Apache, nginx, or Caddy are not affected.
How to mitigate CVE-2025-30207
Install security update from vendor's website.