| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41325 | Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection | getkirby | kirby | - | - | 2026-04-24 00:38:50 | Deep Dive |
| CVE-2026-40099 | Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter | getkirby | kirby | - | - | 2026-04-24 00:34:02 | Deep Dive |
| CVE-2026-34587 | Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering | getkirby | kirby | - | - | 2026-04-24 00:23:37 | Deep Dive |
| CVE-2026-32870 | Kirby has XML injection in its XML creator toolkit | getkirby | kirby | - | - | 2026-04-24 00:19:14 | Deep Dive |
| CVE-2026-21896 | Kirby is missing permission checks in the content changes API | getkirby | kirby | 中危 | - | 2026-01-08 18:09:10 | Deep Dive |
| CVE-2025-65012 | Kirby CMS has cross-site scripting (XSS) in the changes dialog | getkirby | kirby | - | - | 2025-11-18 22:44:12 | Deep Dive |
| CVE-2025-31493 | Path traversal of collection names during file system lookup | getkirby | kirby | - | - | 2025-05-13 15:24:40 | Deep Dive |
| CVE-2025-30207 | Kirby vulnerable to path traversal in the router for PHP's built-in server | getkirby | kirby | - | - | 2025-05-13 15:20:01 | Deep Dive |
| CVE-2025-30159 | Kirby vulnerable to path traversal of snippet names in the `snippet()` helper | getkirby | kirby | - | - | 2025-05-13 15:07:03 | Deep Dive |
| CVE-2024-41964 | Insufficient permission checks in the language settings in Kirby CMS | getkirby | kirby | High | 8.1 | 2024-08-29 16:19:22 | Deep Dive |
| CVE-2024-27087 | Kirby cross-site scripting (XSS) in the link field "Custom" type | getkirby | kirby | Medium | 4.6 | 2024-02-26 16:44:31 | Deep Dive |
| CVE-2023-38492 | Kirby vulnerable to denial of service from unlimited password lengths | getkirby | kirby | Medium | 5.3 | 2023-07-27 15:43:56 | Deep Dive |
| CVE-2023-38491 | Kirby vulnerable to Cross-site scripting (XSS) from MIME type auto-detection of uploaded files | getkirby | kirby | Medium | 5.7 | 2023-07-27 15:30:49 | Deep Dive |
| CVE-2023-38490 | Kirby XML External Entity (XXE) vulnerability in the XML data handler | getkirby | kirby | Medium | 6.8 | 2023-07-27 14:46:49 | Deep Dive |
| CVE-2023-38489 | Kirby vulnerable to Insufficient Session Expiration after a password change | getkirby | kirby | High | 7.3 | 2023-07-27 14:36:46 | Deep Dive |
| CVE-2023-38488 | Kirby vulnerable to field injection in the KirbyData text storage handler | getkirby | kirby | High | 7.1 | 2023-07-27 14:31:00 | Deep Dive |
| CVE-2022-39315 | Kirby CMS vulnerable to user enumeration in the brute force protection | getkirby | kirby | Medium | 6.5 | 2022-10-25 00:00:00 | Deep Dive |
| CVE-2022-39314 | User enumeration in the code-based login and password reset forms | getkirby | kirby | 低危 | - | 2022-10-24 00:00:00 | Deep Dive |
| CVE-2022-36037 | Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby | getkirby | kirby | Medium | 5.9 | 2022-08-29 17:35:09 | Deep Dive |
| CVE-2021-41258 | Cross-site scripting (XSS) from image block content in the site frontend | getkirby | kirby | High | 7.3 | 2021-11-16 18:05:18 | Deep Dive |