CVE-2026-34587

CVE-2026-34587 is a high-severity security vulnerability in getkirby/cms (composer), affecting versions < 4.9.0. It is fixed in 4.9.0, 5.4.0.

Summary

TL;DR

This vulnerability affects all Kirby sites that use option fields (checkboxes, color, multiselect, select, radio, tags or toggles) with options from a query or API whose values may not be fully trusted. It also affects direct uses of the OptionsApi or OptionsQuery classes of Kirby's Options package from plugin or site code. The attack requires either an attacker in the group of authenticated Panel users or user interaction of another authenticated user.

This vulnerability is of high severity for affected sites.

Users' Kirby sites are not affected if they are not using any of the mentioned fields or the Options package, if all options are defined statically in the blueprints or if all dynamically gathered options are to be trusted.

Introduction

Server-Side Template Injection vulnerabilities (SSTI) occur when user input is embedded in a template in an unsafe manner and results in remote code execution on the server.

Injected user input is wrongly treated as a template command instead of as a literal string of text. This allows attackers to query arbitrary information from the affected system or call arbitrary methods to perform actions.

In a Kirby site this can be used to access protected site information, alter site content or break site behavior.

Credits

Kirby thanks to @offset for responsibly reporting the identified issue.

Impact

Kirby provides field types (checkboxes, color, multiselect, select, radio, tags and toggles) that offer a fixed set of options from a configured list. This configured list can be statically defined in the blueprint or it can come from a Kirby query or (external) API source. Options coming from a query or API are treated as dynamic.

Static options can contain queries in the form {{ query }} or {< query >} that are then evaluated to a static value. Because the queries are defined in the blueprint, they can be trusted and cannot be controlled by attackers.

However, dynamic options can often not be trusted. This is why the "options from query" and "options from API" modes are intended to resolve the option values and text strings based on queries not defined within the data source but within the blueprint.

Unfortunately, the results of these trusted queries on untrusted source data are run through the query parser a second time in affected Kirby releases.

Because of the double-resolution of dynamic option values and text strings, attackers could place malicious query templates such as {{ users.first.password }} or {{ page.delete }} in the option sources such as page titles or external API data controlled by the attacker. These queries would then be executed when the field is loaded in the Panel. When the attacker directly accesses the respective Panel view, they could get access to information normally hidden from them. As the malicious query templates are loaded for all users, it could also lead to malicious write access when another user with a higher permission level accesses the manipulated Panel view.

CVE-2026-34587 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.9.0, 5.4.0); upgrading removes the vulnerable code path.

Affected versions

getkirby/cms (< 4.9.0) getkirby/cms (>= 5.0.0, < 5.4.0)

Security releases

getkirby/cms → 4.9.0 (composer) getkirby/cms → 5.4.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, Kirby has updated the Options logic to no longer double-resolve queries in option values coming from OptionsQuery or OptionsApi sources. Kirby now only resolves queries that are directly configured in the blueprints.

Frequently Asked Questions

  1. What is CVE-2026-34587? CVE-2026-34587 is a high-severity security vulnerability in getkirby/cms (composer), affecting versions < 4.9.0. It is fixed in 4.9.0, 5.4.0.
  2. How severe is CVE-2026-34587? CVE-2026-34587 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of getkirby/cms are affected by CVE-2026-34587? getkirby/cms (composer) versions < 4.9.0 is affected.
  4. Is there a fix for CVE-2026-34587? Yes. CVE-2026-34587 is fixed in 4.9.0, 5.4.0. Upgrade to this version or later.
  5. Is CVE-2026-34587 exploitable, and should I be worried? Whether CVE-2026-34587 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-34587 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-34587?
    • Upgrade getkirby/cms to 4.9.0 or later
    • Upgrade getkirby/cms to 5.4.0 or later

Other vulnerabilities in getkirby/cms

CVE-2026-54004CVE-2026-54003CVE-2026-54002CVE-2026-50188CVE-2026-49276

Stop the waste.
Protect your environment with Kodem.