Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/getkirby/cms@5.4.0
Typecomposer
Namespacegetkirby
Namecms
Version5.4.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.4.1
Latest_non_vulnerable_version6.0.0-alpha.1
Affected_by_vulnerabilities
0
url VCID-5acg-5t6t-5ybv
vulnerability_id VCID-5acg-5t6t-5ybv
summary Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44177
reference_id
reference_type
scores
0
value 0.00135
scoring_system epss
scoring_elements 0.33309
published_at 2026-06-12T12:55:00Z
1
value 0.00173
scoring_system epss
scoring_elements 0.38685
published_at 2026-06-14T12:55:00Z
2
value 0.00173
scoring_system epss
scoring_elements 0.38696
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44177
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
3
reference_url https://github.com/advisories/GHSA-9hx7-c53c-v6x8
reference_id GHSA-9hx7-c53c-v6x8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9hx7-c53c-v6x8
4
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8
reference_id GHSA-9hx7-c53c-v6x8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-44177, GHSA-9hx7-c53c-v6x8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5acg-5t6t-5ybv
1
url VCID-jkcv-nc7m-j3dp
vulnerability_id VCID-jkcv-nc7m-j3dp
summary Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44176
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.10093
published_at 2026-06-12T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.10083
published_at 2026-06-14T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10099
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44176
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.1
reference_id
reference_type
scores
0
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/4.9.1
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
4
reference_url https://github.com/advisories/GHSA-2xw4-v2wx-hqq9
reference_id GHSA-2xw4-v2wx-hqq9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2xw4-v2wx-hqq9
5
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9
reference_id GHSA-2xw4-v2wx-hqq9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-44176, GHSA-2xw4-v2wx-hqq9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jkcv-nc7m-j3dp
2
url VCID-ngz6-fm9j-4ucy
vulnerability_id VCID-ngz6-fm9j-4ucy
summary Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44175
reference_id
reference_type
scores
0
value 0.0004
scoring_system epss
scoring_elements 0.12414
published_at 2026-06-12T12:55:00Z
1
value 0.0004
scoring_system epss
scoring_elements 0.12402
published_at 2026-06-14T12:55:00Z
2
value 0.0004
scoring_system epss
scoring_elements 0.12423
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44175
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.1
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/4.9.1
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
4
reference_url https://github.com/advisories/GHSA-5fhx-9q32-q257
reference_id GHSA-5fhx-9q32-q257
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5fhx-9q32-q257
5
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257
reference_id GHSA-5fhx-9q32-q257
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-44175, GHSA-5fhx-9q32-q257
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ngz6-fm9j-4ucy
3
url VCID-qbq9-a8cw-5ugu
vulnerability_id VCID-qbq9-a8cw-5ugu
summary Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45334
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.10093
published_at 2026-06-12T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.10083
published_at 2026-06-14T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10099
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45334
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/4.9.1
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
4
reference_url https://github.com/advisories/GHSA-39vq-49qm-r2mc
reference_id GHSA-39vq-49qm-r2mc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-39vq-49qm-r2mc
5
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc
reference_id GHSA-39vq-49qm-r2mc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-45334, GHSA-39vq-49qm-r2mc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qbq9-a8cw-5ugu
4
url VCID-xz7d-pny6-gkf7
vulnerability_id VCID-xz7d-pny6-gkf7
summary Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44174
reference_id
reference_type
scores
0
value 0.0007
scoring_system epss
scoring_elements 0.21785
published_at 2026-06-12T12:55:00Z
1
value 0.0007
scoring_system epss
scoring_elements 0.21771
published_at 2026-06-14T12:55:00Z
2
value 0.0007
scoring_system epss
scoring_elements 0.21797
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44174
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.1
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/4.9.1
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
4
reference_url https://github.com/advisories/GHSA-86rh-h242-j8xp
reference_id GHSA-86rh-h242-j8xp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-86rh-h242-j8xp
5
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp
reference_id GHSA-86rh-h242-j8xp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-44174, GHSA-86rh-h242-j8xp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xz7d-pny6-gkf7
5
url VCID-zuh5-yybj-h7er
vulnerability_id VCID-zuh5-yybj-h7er
summary Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45368
reference_id
reference_type
scores
0
value 0.00062
scoring_system epss
scoring_elements 0.19678
published_at 2026-06-12T12:55:00Z
1
value 0.00062
scoring_system epss
scoring_elements 0.19674
published_at 2026-06-14T12:55:00Z
2
value 0.00062
scoring_system epss
scoring_elements 0.19699
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45368
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.1
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/4.9.1
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.1
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/releases/tag/5.4.1
4
reference_url https://github.com/advisories/GHSA-qvjf-922g-pj44
reference_id GHSA-qvjf-922g-pj44
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qvjf-922g-pj44
5
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44
reference_id GHSA-qvjf-922g-pj44
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44
fixed_packages
0
url pkg:composer/getkirby/cms@5.4.1
purl pkg:composer/getkirby/cms@5.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1
aliases CVE-2026-45368, GHSA-qvjf-922g-pj44
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zuh5-yybj-h7er
Fixing_vulnerabilities
0
url VCID-1425-ev7t-vqfg
vulnerability_id VCID-1425-ev7t-vqfg
summary Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42051
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.1047
published_at 2026-06-13T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10444
published_at 2026-06-14T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10467
published_at 2026-06-12T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10415
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42051
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42051
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42051
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-x68m-c7jf-2572
reference_id GHSA-x68m-c7jf-2572
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x68m-c7jf-2572
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572
reference_id GHSA-x68m-c7jf-2572
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
aliases CVE-2026-42051, GHSA-x68m-c7jf-2572
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1425-ev7t-vqfg
1
url VCID-88cy-kbt4-4qfq
vulnerability_id VCID-88cy-kbt4-4qfq
summary Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40099
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08381
published_at 2026-06-12T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08379
published_at 2026-06-14T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08384
published_at 2026-06-13T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08343
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40099
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40099
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40099
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-w942-j9r6-hr6r
reference_id GHSA-w942-j9r6-hr6r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w942-j9r6-hr6r
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
reference_id GHSA-w942-j9r6-hr6r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.0.0-alpha.1
purl pkg:composer/getkirby/cms@5.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1
2
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
3
url pkg:composer/getkirby/cms@6.0.0-alpha.1
purl pkg:composer/getkirby/cms@6.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1
aliases CVE-2026-40099, GHSA-w942-j9r6-hr6r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-88cy-kbt4-4qfq
2
url VCID-924u-ruz7-4ycw
vulnerability_id VCID-924u-ruz7-4ycw
summary Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32870
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13417
published_at 2026-06-11T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.1351
published_at 2026-06-14T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13534
published_at 2026-06-12T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13537
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32870
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32870
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32870
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-9wfj-c55w-j9qr
reference_id GHSA-9wfj-c55w-j9qr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9wfj-c55w-j9qr
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
reference_id GHSA-9wfj-c55w-j9qr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.0.0-alpha.1
purl pkg:composer/getkirby/cms@5.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1
2
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
3
url pkg:composer/getkirby/cms@6.0.0-alpha.1
purl pkg:composer/getkirby/cms@6.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1
aliases CVE-2026-32870, GHSA-9wfj-c55w-j9qr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-924u-ruz7-4ycw
3
url VCID-9hqx-7awz-gkgk
vulnerability_id VCID-9hqx-7awz-gkgk
summary Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41325
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12829
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12915
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12924
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12934
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41325
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41325
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41325
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-6gqr-mx34-wh8r
reference_id GHSA-6gqr-mx34-wh8r
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6gqr-mx34-wh8r
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r
reference_id GHSA-6gqr-mx34-wh8r
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
aliases CVE-2026-41325, GHSA-6gqr-mx34-wh8r
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hqx-7awz-gkgk
4
url VCID-apwy-kpv6-1bfv
vulnerability_id VCID-apwy-kpv6-1bfv
summary Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34587
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.10312
published_at 2026-06-13T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.1029
published_at 2026-06-14T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10257
published_at 2026-06-11T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.10307
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34587
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34587
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34587
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-jcjw-58rv-c452
reference_id GHSA-jcjw-58rv-c452
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jcjw-58rv-c452
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452
reference_id GHSA-jcjw-58rv-c452
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.0.0-alpha.1
purl pkg:composer/getkirby/cms@5.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1
2
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
3
url pkg:composer/getkirby/cms@6.0.0-alpha.1
purl pkg:composer/getkirby/cms@6.0.0-alpha.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1
aliases CVE-2026-34587, GHSA-jcjw-58rv-c452
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-apwy-kpv6-1bfv
5
url VCID-eu1n-h4bb-cbhk
vulnerability_id VCID-eu1n-h4bb-cbhk
summary Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42137
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01428
published_at 2026-06-12T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01443
published_at 2026-06-14T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01436
published_at 2026-06-13T12:55:00Z
3
value 0.00011
scoring_system epss
scoring_elements 0.01424
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42137
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
3
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42137
reference_id CVE-2026-42137
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-42137
5
reference_url https://github.com/advisories/GHSA-85x2-r8xv-ww8c
reference_id GHSA-85x2-r8xv-ww8c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-85x2-r8xv-ww8c
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c
reference_id GHSA-85x2-r8xv-ww8c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
aliases CVE-2026-42137, GHSA-85x2-r8xv-ww8c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eu1n-h4bb-cbhk
6
url VCID-mykp-v2xy-kuh4
vulnerability_id VCID-mykp-v2xy-kuh4
summary Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42069
reference_id
reference_type
scores
0
value 0.0003
scoring_system epss
scoring_elements 0.09062
published_at 2026-06-13T12:55:00Z
1
value 0.0003
scoring_system epss
scoring_elements 0.0905
published_at 2026-06-14T12:55:00Z
2
value 0.0003
scoring_system epss
scoring_elements 0.0906
published_at 2026-06-12T12:55:00Z
3
value 0.0003
scoring_system epss
scoring_elements 0.09011
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42069
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42069
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42069
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-2h7v-4372-f6x2
reference_id GHSA-2h7v-4372-f6x2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2h7v-4372-f6x2
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2
reference_id GHSA-2h7v-4372-f6x2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
aliases CVE-2026-42069, GHSA-2h7v-4372-f6x2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mykp-v2xy-kuh4
7
url VCID-xjxr-1fjw-63ca
vulnerability_id VCID-xjxr-1fjw-63ca
summary Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42174
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01036
published_at 2026-06-13T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.0104
published_at 2026-06-14T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.0103
published_at 2026-06-12T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.01032
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42174
1
reference_url https://github.com/getkirby/kirby
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/getkirby/kirby
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42174
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42174
3
reference_url https://github.com/getkirby/kirby/releases/tag/4.9.0
reference_id 4.9.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/
url https://github.com/getkirby/kirby/releases/tag/4.9.0
4
reference_url https://github.com/getkirby/kirby/releases/tag/5.4.0
reference_id 5.4.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/
url https://github.com/getkirby/kirby/releases/tag/5.4.0
5
reference_url https://github.com/advisories/GHSA-39cp-6679-8xv2
reference_id GHSA-39cp-6679-8xv2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-39cp-6679-8xv2
6
reference_url https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2
reference_id GHSA-39cp-6679-8xv2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/
url https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2
fixed_packages
0
url pkg:composer/getkirby/cms@4.9.0
purl pkg:composer/getkirby/cms@4.9.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jkcv-nc7m-j3dp
1
vulnerability VCID-ngz6-fm9j-4ucy
2
vulnerability VCID-qbq9-a8cw-5ugu
3
vulnerability VCID-xz7d-pny6-gkf7
4
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0
1
url pkg:composer/getkirby/cms@5.4.0
purl pkg:composer/getkirby/cms@5.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5acg-5t6t-5ybv
1
vulnerability VCID-jkcv-nc7m-j3dp
2
vulnerability VCID-ngz6-fm9j-4ucy
3
vulnerability VCID-qbq9-a8cw-5ugu
4
vulnerability VCID-xz7d-pny6-gkf7
5
vulnerability VCID-zuh5-yybj-h7er
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0
aliases CVE-2026-42174, GHSA-39cp-6679-8xv2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xjxr-1fjw-63ca
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0