| CVE-2026-42069 |
medium |
6.5 |
6.5 |
24d ago |
Kirby CMS's read access to site, user and role information is not gated by permissions |
|
| CVE-2026-42137 |
medium |
6.5 |
6.5 |
28d ago |
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API |
|
| CVE-2026-45334 |
medium |
— |
5.5 |
1d ago |
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions |
|
| CVE-2026-44176 |
medium |
— |
5.5 |
2d ago |
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts |
|
| CVE-2026-29905 |
medium |
— |
5.5 |
2mo ago |
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload |
|
| CVE-2026-42051 |
medium |
4.3 |
4.3 |
24d ago |
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users |
|
| CVE-2026-42174 |
medium |
4.3 |
4.3 |
24d ago |
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions |
|