getkirby 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、パス処理の欠陥、vendor risk xxe, and vendor risk csrf があり、vendor surface software deployment and vendor surface production workloads の利用場面で vendor impact session compromise、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-42174 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | [email protected] | 5.3 | 0.24% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42137 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | [email protected] | 7.1 | 0.30% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42069 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | [email protected] | 7.1 | 0.23% | 2026-05-09 | 2026-06-17 |
| CVE-2026-42051 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | [email protected] | 5.3 | 0.19% | 2026-05-09 | 2026-06-17 |
| CVE-2026-41325 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of use | [email protected] | 7.1 | 0.36% | 2026-04-23 | 2026-06-17 |
| CVE-2026-40099 | Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of use | [email protected] | 5.3 | 0.27% | 2026-04-23 | 2026-06-17 |
| CVE-2026-34587 | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options togeth | [email protected] | 7.6 | 0.27% | 2026-04-23 | 2026-06-17 |
| CVE-2026-32870 | Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to | [email protected] | 6.9 | 0.28% | 2026-04-23 | 2026-06-17 |
| CVE-2026-29905 | Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError. | [email protected] | 6.5 | 0.45% | 2026-03-26 | 2026-06-17 |
| CVE-2026-21896 | Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This | [email protected] | 5.8 | 0.19% | 2026-01-08 | 2026-06-17 |
| CVE-2025-65012 | Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the "Changes" dialog. If another authenticated user subsequently opened the dialog in their Panel, the malicious code would be executed. This vulnerability affects all Kirby 5 sites that might have potential | [email protected] | 5.1 | 0.15% | 2025-11-18 | 2026-06-17 |
| CVE-2025-31493 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple string for the collection name) are *not* affected. A missing path traversal | [email protected] | 6.3 | 0.48% | 2025-05-13 | 2026-06-17 |
| CVE-2025-30207 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as Apache, nginx or Caddy) are not affected. A missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation. | [email protected] | 2.3 | 0.47% | 2025-05-13 | 2026-06-17 |
| CVE-2025-30159 | Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attacke | [email protected] | 6.3 | 0.58% | 2025-05-13 | 2026-06-17 |
| CVE-2024-41964 | Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited upd | [email protected] | 8.1 | 0.38% | 2024-08-29 | 2026-06-17 |
| CVE-2024-27087 | Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript c | [email protected] | 4.6 | 0.35% | 2024-02-26 | 2026-06-17 |
| CVE-2024-26484 | A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Link field. NOTE: the vendor's position is that this issue did not affect any version of Kirby CMS. The only effect was on the trykirby.com demo site, which is not customer-controlled. | [email protected] | 6.1 | 0.43% | 2024-02-22 | 2026-06-17 |
| CVE-2024-26483 | An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file. | [email protected] | 8.8 | 0.97% | 2024-02-22 | 2026-06-17 |
| CVE-2024-26482 | An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur. | [email protected] | 7.1 | 0.32% | 2024-02-22 | 2026-06-17 |
| CVE-2024-26481 | Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. | [email protected] | 4.7 | 0.40% | 2024-02-22 | 2026-06-17 |