Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

kirby — Vulnerabilities & Security Advisories 25

All 25 CVE vulnerabilities found in kirby, with AI-generated Chinese analysis, references, and POCs.

Vendor: getkirby

CVE IDTitleCVSSSeverityPublished
CVE-2026-41325 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection CWE-863 8.8AIHighAI2026-04-24
CVE-2026-40099 Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter CWE-863 6.5AIMediumAI2026-04-24
CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering CWE-1336 6.5AIMediumAI2026-04-24
CVE-2026-32870 Kirby has XML injection in its XML creator toolkit CWE-91 7.1AIHighAI2026-04-24
CVE-2026-21896 Kirby is missing permission checks in the content changes API CWE-863 4.3 -2026-01-08
CVE-2025-65012 Kirby CMS has cross-site scripting (XSS) in the changes dialog CWE-79 4.6AIMediumAI2025-11-18
CVE-2025-31493 Path traversal of collection names during file system lookup CWE-22 8.3AIHighAI2025-05-13
CVE-2025-30207 Kirby vulnerable to path traversal in the router for PHP's built-in server CWE-22 8.1AIHighAI2025-05-13
CVE-2025-30159 Kirby vulnerable to path traversal of snippet names in the `snippet()` helper CWE-22 7.1AIHighAI2025-05-13
CVE-2024-41964 Insufficient permission checks in the language settings in Kirby CMS CWE-863 8.1 High2024-08-29
CVE-2024-27087 Kirby cross-site scripting (XSS) in the link field "Custom" type CWE-79 4.6 Medium2024-02-26
CVE-2023-38492 Kirby vulnerable to denial of service from unlimited password lengths CWE-770 5.3 Medium2023-07-27
CVE-2023-38491 Kirby vulnerable to Cross-site scripting (XSS) from MIME type auto-detection of uploaded files CWE-79 5.7 Medium2023-07-27
CVE-2023-38490 Kirby XML External Entity (XXE) vulnerability in the XML data handler CWE-611 6.8 Medium2023-07-27
CVE-2023-38489 Kirby vulnerable to Insufficient Session Expiration after a password change CWE-613 7.3 High2023-07-27
CVE-2023-38488 Kirby vulnerable to field injection in the KirbyData text storage handler CWE-140 7.1 High2023-07-27
CVE-2022-39315 Kirby CMS vulnerable to user enumeration in the brute force protection CWE-204 6.5 Medium2022-10-25
CVE-2022-39314 User enumeration in the code-based login and password reset forms CWE-307 5.3 -2022-10-24
CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby CWE-79 5.9 Medium2022-08-29
CVE-2021-41258 Cross-site scripting (XSS) from image block content in the site frontend CWE-79 7.3 High2021-11-16
CVE-2021-41252 Cross-site scripting (XSS) from writer field content in the site frontend CWE-79 7.3 High2021-11-16
CVE-2021-32735 Cross-site scripting (XSS) from field and configuration text displayed in the Panel CWE-80 7.1 High2021-07-02
CVE-2021-29460 Cross-site scripting (XSS) from unsanitized uploaded SVG files CWE-79 7.6 High2021-04-27
CVE-2020-26255 PHP Phar archives could be uploaded and executed in Kirby CWE-434 6.8 Medium2020-12-08
CVE-2020-26253 .dev domains treated as local in Kirby CWE-346 6.8 Medium2020-12-08

All 25 known CVE vulnerabilities affecting kirby with full Chinese analysis, references, and POCs where available.