Unsafe reflection in Kirby - CVE-2026-44174
Published: May 22, 2026
Vulnerability identifier: #VU132144
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-44174
CWE-ID: CWE-470
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information or perform unauthorized actions.
The vulnerability exists due to use of externally-controlled input to select code in REST API search and collection query endpoints when processing collection queries. A remote user can supply crafted query parameters that reference arbitrary model methods to disclose sensitive information or perform unauthorized actions.
Exploitation requires access as an authenticated Panel user.
How to mitigate CVE-2026-44174
Install security update from vendor's website.