| CVE-2026-45368 |
high |
— |
8.0 |
1d ago |
Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend |
|
| CVE-2026-44177 |
high |
— |
8.0 |
2d ago |
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup |
|
| CVE-2026-44175 |
high |
— |
8.0 |
2d ago |
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend |
|
| CVE-2026-44174 |
high |
— |
8.0 |
2d ago |
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints |
|
| CVE-2026-34587 |
high |
— |
8.0 |
1mo ago |
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering |
|
| CVE-2026-42069 |
medium |
6.5 |
6.5 |
24d ago |
Kirby CMS's read access to site, user and role information is not gated by permissions |
|
| CVE-2026-42137 |
medium |
6.5 |
6.5 |
28d ago |
Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API |
|
| CVE-2026-45334 |
medium |
— |
5.5 |
1d ago |
Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions |
|
| CVE-2026-44176 |
medium |
— |
5.5 |
2d ago |
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts |
|
| CVE-2026-29905 |
medium |
— |
5.5 |
2mo ago |
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload |
|
| CVE-2017-16807 |
medium |
5.4 |
5.4 |
9y ago |
Kirby XSS Vulnerability |
|
| CVE-2026-42051 |
medium |
4.3 |
4.3 |
24d ago |
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users |
|
| CVE-2026-42174 |
medium |
4.3 |
4.3 |
24d ago |
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions |
|
| CVE-2026-41325 |
unknown |
— |
— |
1mo ago |
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection |
|
| CVE-2026-40099 |
unknown |
— |
— |
1mo ago |
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter |
|
| CVE-2026-32870 |
unknown |
— |
— |
1mo ago |
Kirby has XML injection in its XML creator toolkit |
|
| CVE-2026-21896 |
unknown |
— |
— |
5mo ago |
Kirby is missing permission checks in the content changes API |
|
| CVE-2025-65012 |
unknown |
— |
— |
6mo ago |
Kirby CMS has cross-site scripting (XSS) in the changes dialog |
|
| CVE-2025-30207 |
unknown |
— |
— |
1y ago |
Kirby vulnerable to path traversal in the router for PHP's built-in server |
|
| CVE-2025-31493 |
unknown |
— |
— |
1y ago |
Kirby vulnerable to path traversal of collection names during file system lookup |
|
| CVE-2024-41964 |
unknown |
— |
— |
2y ago |
Kirby has insufficient permission checks in the language settings |
|
| CVE-2024-27087 |
unknown |
— |
— |
2y ago |
Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type |
|
| CVE-2024-26481 |
unknown |
— |
— |
2y ago |
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field |
|
| CVE-2024-26483 |
unknown |
— |
— |
2y ago |
Kirby vulnerable to unrestricted file upload of user avatar images |
|
| CVE-2023-38488 |
unknown |
— |
— |
3y ago |
Field injection in the KirbyData text storage handler |
|
| CVE-2023-38489 |
unknown |
— |
— |
3y ago |
Insufficient Session Expiration after a password change |
|
| CVE-2023-38490 |
unknown |
— |
— |
3y ago |
XML External Entity (XXE) vulnerability in the XML data handler |
|
| CVE-2023-38491 |
unknown |
— |
— |
3y ago |
Cross-site scripting (XSS) from MIME type auto-detection of uploaded files |
|
| CVE-2023-38492 |
unknown |
— |
— |
3y ago |
Denial of service from unlimited password lengths |
|
| CVE-2022-39315 |
unknown |
— |
— |
4y ago |
Kirby CMS vulnerable to user enumeration in the brute force protection |
|
| CVE-2022-39314 |
unknown |
— |
— |
4y ago |
Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms |
|
| CVE-2022-36037 |
unknown |
— |
— |
4y ago |
Cross-site scripting from dynamic options in the multiselect field |
|
| CVE-2018-14520 |
unknown |
— |
— |
4y ago |
Kirby CMS 2.5.12 Cross-site Scripting |
|
| CVE-2018-14519 |
unknown |
— |
— |
4y ago |
Kirby CMS 2.5.12 Cross-site Request Forgery |
|
| CVE-2021-41258 |
unknown |
— |
— |
5y ago |
Cross-site scripting (XSS) from image block content in the site frontend |
|
| CVE-2021-41252 |
unknown |
— |
— |
5y ago |
Cross-site scripting (XSS) from writer field content in the site frontend |
|
| CVE-2021-32735 |
unknown |
— |
— |
5y ago |
Cross-site scripting (XSS) from field and configuration text displayed in the Panel |
|
| CVE-2021-29460 |
unknown |
— |
— |
5y ago |
Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby |
|
| CVE-2020-26253 |
unknown |
— |
— |
5y ago |
Kirby .dev domains and some reverse proxy setups were treated as local |
|
| CVE-2020-26255 |
unknown |
— |
— |
6y ago |
Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5 |
|