getkirby/cms vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-54005Highgetkirby/cms: Kirby: `pages.access` permission is not checked in the `site/find` REST API routeCVE-2026-54004Mediumgetkirby/cms: Kirby: Access to files of top-level drafts is not protected by permissionsCVE-2026-54003Criticalgetkirby/cms: Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` headerCVE-2026-54002Highgetkirby/cms: Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`CVE-2026-50188Mediumgetkirby/cms: Kirby: Request header injection in `Http\Remote`CVE-2026-49276Highgetkirby/cms: Kirby: Self cross-site scripting (self-XSS) in the writer fieldCVE-2026-49274Mediumgetkirby/cms: Kirby: `pages.access` permission is not checked in the pages picker for parent pagesCVE-2026-45368Highgetkirby/cms: Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontendCVE-2026-45334Mediumgetkirby/cms: Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissionsCVE-2026-44177Highgetkirby/cms: Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookupCVE-2026-44176Mediumgetkirby/cms: Kirby CMS's `pages.access` permission is not checked during rendering of page draftsCVE-2026-44175Highgetkirby/cms: Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontendCVE-2026-44174Highgetkirby/cms: Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query EndpointsCVE-2026-42051Mediumgetkirby/cms: Kirby CMS's system API endpoint leaks installed version and license data to authenticated usersCVE-2026-42174Mediumgetkirby/cms: Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissionsCVE-2026-42069Highgetkirby/cms: Kirby CMS's read access to site, user and role information is not gated by permissionsCVE-2026-42137Highgetkirby/cms: Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST APICVE-2026-41325Highgetkirby/cms: Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injectionCVE-2026-40099Mediumgetkirby/cms: Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameterCVE-2026-34587Highgetkirby/cms: Kirby has Server-Side Template Injection (SSTI) via double template resolution in option renderingCVE-2026-32870Mediumgetkirby/cms: Kirby has XML injection in its XML creator toolkitCVE-2026-21896Mediumgetkirby/cms: Kirby is missing permission checks in the content changes APICVE-2025-65012Mediumgetkirby/cms: Kirby CMS has cross-site scripting (XSS) in the changes dialogCVE-2025-30207Lowgetkirby/cms: Kirby vulnerable to path traversal in the router for PHP's built-in serverCVE-2025-31493Mediumgetkirby/cms: Kirby vulnerable to path traversal of collection names during file system lookup

Stop the waste.
Protect your environment with Kodem.