Main Vulnerability Database Vulnerabilities #VU127191

Relative Path Traversal in Kirby - CVE-2025-30159

Published: April 23, 2026

Vulnerability identifier: #VU127191

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-30159

CWE-ID: CWE-23

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ian Stewart

Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote attacker to access arbitrary files and execute unintended PHP code.

The vulnerability exists due to relative path traversal in the snippet() helper and $kirby->snippet() method when processing a dynamic snippet name during file system lookup. A remote attacker can supply a specially crafted snippet name containing traversal sequences to access arbitrary files and execute unintended PHP code.

Only sites that use dynamic snippet names based on request or user data are vulnerable; sites that use only fixed snippet names are not affected.

How to mitigate CVE-2025-30159

Install security update from vendor's website.

Sources

https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp

Relative Path Traversal in Kirby - CVE-2025-30159

Detailed vulnerability description

How to mitigate CVE-2025-30159

Sources

Please verify you're human