| CVE-2026-45368 |
high |
— |
8.0 |
|
|
|
2d ago |
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend |
| CVE-2026-44177 |
high |
— |
8.0 |
|
|
|
3d ago |
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup |
| CVE-2026-44175 |
high |
— |
8.0 |
|
|
|
3d ago |
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend |
| CVE-2026-44174 |
high |
— |
8.0 |
|
|
|
3d ago |
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints |
| CVE-2026-34587 |
high |
— |
8.0 |
|
|
|
1mo ago |
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering |
| CVE-2026-42069 |
medium |
6.5 |
6.5 |
|
|
|
25d ago |
Kirby CMS's read access to site, user and role information is not gated by permissions |
| CVE-2026-42137 |
medium |
6.5 |
6.5 |
|
|
|
29d ago |
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API |
| CVE-2026-45334 |
medium |
— |
5.5 |
|
|
|
2d ago |
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions |
| CVE-2026-44176 |
medium |
— |
5.5 |
|
|
|
3d ago |
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts |
| CVE-2026-29905 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload |
| CVE-2026-42051 |
medium |
4.3 |
4.3 |
|
|
|
25d ago |
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users |
| CVE-2026-42174 |
medium |
4.3 |
4.3 |
|
|
|
25d ago |
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions |