Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/604337?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/604337?format=api", "purl": "pkg:composer/getkirby/cms@3.6.3", "type": "composer", "namespace": "getkirby", "name": "cms", "version": "3.6.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.9.1", "latest_non_vulnerable_version": "6.0.0-alpha.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57287?format=api", "vulnerability_id": "VCID-1zg8-cndr-73hk", "summary": "Kirby vulnerable to path traversal of collection names during file system lookup\nThe missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed.\n\nSuch attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing.\n\nIn a vulnerable setup, this could cause damage to the confidentiality and integrity of the server, for example:\n\n- it could allow the attacker to build a map of the server's file system for subsequent attacks,\n- it could allow access to configuration files that may contain sensitive information like security tokens or\n- it could cause the unintended execution of PHP scripts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-31493", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00771", "scoring_system": "epss", "scoring_elements": "0.73943", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00771", "scoring_system": "epss", "scoring_elements": "0.73948", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-31493" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/95a51480a426a8ed0df799cc017403be9b987ced", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/95a51480a426a8ed0df799cc017403be9b987ced" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:08:28Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:08:28Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.7.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:08:28Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.7.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31493", "reference_id": "CVE-2025-31493", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31493" }, { "reference_url": "https://github.com/advisories/GHSA-x275-h9j4-7p4h", "reference_id": "GHSA-x275-h9j4-7p4h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x275-h9j4-7p4h" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h", "reference_id": "GHSA-x275-h9j4-7p4h", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:08:28Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/818228?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/85114?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/818230?format=api", "purl": "pkg:composer/getkirby/cms@3.10.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/85115?format=api", "purl": "pkg:composer/getkirby/cms@3.10.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/85116?format=api", "purl": "pkg:composer/getkirby/cms@4.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/818240?format=api", "purl": "pkg:composer/getkirby/cms@5.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1" } ], "aliases": [ "CVE-2025-31493", "GHSA-x275-h9j4-7p4h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1zg8-cndr-73hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89231?format=api", "vulnerability_id": "VCID-4wcn-6ujb-tuhr", "summary": "Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API\n### TL;DR\n\nThis vulnerability affects all Kirby sites where users of a particular role have no permission to access or list pages or files (`pages.access`, `pages.list`, `files.access` or `files.list` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a combination of both settings.\n\n**This vulnerability is of high severity for affected sites.**\n\nConsumers' Kirby sites are *not* affected if they intend all users to be able to access all pages and files of the site. The vulnerability can only be exploited by authenticated users. Write actions are *not* affected by this vulnerability.\n\n----\n\n### Introduction\n\nMissing authorization allows authenticated users to perform actions they are not intended to have access to.\n\nThe effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions.\n\nKirby provides the `pages.access`, `pages.list`, `files.access` and `files.list` permissions (among others). The `list` permissions control whether affected models appear in lists throughout the Panel and REST API. The `access` permissions have the same effect but also disable direct access to the affected models.\n\nIn affected releases, Kirby did not consistently hide non-listable models (models for which the respective `access` or `list` permission was disabled) in the following scenarios:\n\n- The changes dialog in the Panel listed changed models even if they were not listable.\n- The REST API respected the permissions during direct model access, but did not consistently filter collections as well as related models that are included in the API responses for convenience. This includes:\n - missing permission checks for children, drafts, files, parents and siblings of pages,\n - missing permission checks for parents and siblings (`next`/`nextWithTemplate `, `prev`/`prevWithTemplate`) of files,\n - missing permission checks for children, drafts and files of the site model,\n - missing permission checks for files of users,\n - incorrect permission checks for `pages.access` instead of `pages.list` for the site and pages children and search routes and\n - incorrect permission checks for `files.access` instead of `files.list` for the account, site, pages and users files and search routes,\n- The Panel images for site, pages and users were displayed in lists of the parent model even if the image files were not listable.\n- The link targets for the previous and next files in the files view were not gated by the files being listable.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added permission checks for `$model->isListable()` in all of the affected places. This ensures that results are filtered by the listable property, thereby enforcing the `pages.access`, `pages.list`, `files.access` and `files.list` permissions consistently.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42137", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01106", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42137" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42137", "reference_id": "CVE-2026-42137", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42137" }, { "reference_url": "https://github.com/advisories/GHSA-85x2-r8xv-ww8c", "reference_id": "GHSA-85x2-r8xv-ww8c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-85x2-r8xv-ww8c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" } ], "aliases": [ "CVE-2026-42137", "GHSA-85x2-r8xv-ww8c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4wcn-6ujb-tuhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90268?format=api", "vulnerability_id": "VCID-8a1t-g8pv-4fcb", "summary": "Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter\n### TL;DR\n\nThis vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the page blueprint(s) or via a combination of both settings.\n\nUsers' Kirby sites are *not* affected if their use case does not consider the creation of published pages a malicious action. The vulnerability can only be exploited by authenticated users.\n\n----\n\n### Introduction\n\nAn authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation.\n\nThe effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions.\n\nFor pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation.\n\nNew pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.\n\n### Credits\n\nKirby thanks @offset for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40099", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08344", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08355", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40099" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40099", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40099" }, { "reference_url": "https://github.com/advisories/GHSA-w942-j9r6-hr6r", "reference_id": "GHSA-w942-j9r6-hr6r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w942-j9r6-hr6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/818240?format=api", "purl": "pkg:composer/getkirby/cms@5.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/925613?format=api", "purl": "pkg:composer/getkirby/cms@6.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1" } ], "aliases": [ "CVE-2026-40099", "GHSA-w942-j9r6-hr6r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8a1t-g8pv-4fcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/94742?format=api", "vulnerability_id": "VCID-e9gx-3frn-gfeu", "summary": "Kirby CMS's system API endpoint leaks installed version and license data to authenticated users\n### TL;DR\n\nThis vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.\n\n----\n\n### Introduction\n\nMissing authorization allows authenticated users to perform actions they are not intended to have access to.\n\nThe effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). The permissions control the authorization of user actions (with handling of model-specific authorization omitted here for brevity).\n\nKirby provides the `access.system` permission (among others) that controls access to the system area of the Kirby Panel. This area contains internal system information like the installed Kirby, plugin and server versions, security state and Kirby license. If the `access.system` permission is disabled for a user role, users of that role should not be able to access this internal system information. However it is also possible to access some system information via the `/api/system` REST API endpoint. In affected releases, the response of this endpoint for authenticated users contained the installed Kirby version and the status, type and code of the installed Kirby license. These values are considered sensitive information and should be protected by the `access.system` permission.\n\nThe installed Kirby version and license data can be used by malicious actors during reconnaissance when planning a separate attack.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have protected the version and license properties of the `/api/system` endpoint with a check for the existing `access.system` permission. This ensures that the REST API only outputs information that should be accessible to the user via the Panel.\n\n### Credits\n\nKirby thanks @HuajiHD and @0x-bala for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42051", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08905", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08889", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42051" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42051", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42051" }, { "reference_url": "https://github.com/advisories/GHSA-x68m-c7jf-2572", "reference_id": "GHSA-x68m-c7jf-2572", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x68m-c7jf-2572" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" } ], "aliases": [ "CVE-2026-42051", "GHSA-x68m-c7jf-2572" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e9gx-3frn-gfeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90119?format=api", "vulnerability_id": "VCID-g46n-k3pp-t3a5", "summary": "Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering\n### TL;DR\n\nThis vulnerability affects all Kirby sites that use option fields (`checkboxes`, `color`, `multiselect`, `select`, `radio`, `tags` or `toggles`) with options from a query or API whose values may not be fully trusted. It also affects direct uses of the `OptionsApi` or `OptionsQuery` classes of Kirby's `Options` package from plugin or site code. The attack requires either an attacker in the group of authenticated Panel users or user interaction of another authenticated user.\n\n**This vulnerability is of high severity for affected sites.**\n\nUsers' Kirby sites are *not* affected if they are not using any of the mentioned fields or the `Options` package, if all options are defined statically in the blueprints or if all dynamically gathered options are to be trusted.\n\n----\n\n### Introduction\n\nServer-Side Template Injection vulnerabilities (SSTI) occur when user input is embedded in a template in an unsafe manner and results in remote code execution on the server.\n\nInjected user input is wrongly treated as a template command instead of as a literal string of text. This allows attackers to query arbitrary information from the affected system or call arbitrary methods to perform actions.\n\nIn a Kirby site this can be used to access protected site information, alter site content or break site behavior.\n\n### Impact\n\nKirby provides field types (`checkboxes`, `color`, `multiselect`, `select`, `radio`, `tags` and `toggles`) that offer a fixed set of options from a configured list. This configured list can be statically defined in the blueprint or it can come from a Kirby query or (external) API source. Options coming from a query or API are treated as dynamic.\n\nStatic options can contain queries in the form `{{ query }}` or `{< query >}` that are then evaluated to a static value. Because the queries are defined in the blueprint, they can be trusted and cannot be controlled by attackers.\n\nHowever, dynamic options can often not be trusted. This is why the \"options from query\" and \"options from API\" modes are intended to resolve the option values and text strings based on queries not defined within the data source but within the blueprint.\n\nUnfortunately, the results of these trusted queries on untrusted source data are run through the query parser a second time in affected Kirby releases.\n\nBecause of the double-resolution of dynamic option values and text strings, attackers could place malicious query templates such as `{{ users.first.password }}` or `{{ page.delete }}` in the option sources such as page titles or external API data controlled by the attacker. These queries would then be executed when the field is loaded in the Panel. When the attacker directly accesses the respective Panel view, they could get access to information normally hidden from them. As the malicious query templates are loaded for all users, it could also lead to malicious write access when another user with a higher permission level accesses the manipulated Panel view.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.\n\n### Credits\n\nKirby thanks to @offset for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34587", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10269", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10249", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34587" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34587", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34587" }, { "reference_url": "https://github.com/advisories/GHSA-jcjw-58rv-c452", "reference_id": "GHSA-jcjw-58rv-c452", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jcjw-58rv-c452" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/818240?format=api", "purl": "pkg:composer/getkirby/cms@5.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/925613?format=api", "purl": "pkg:composer/getkirby/cms@6.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1" } ], "aliases": [ "CVE-2026-34587", "GHSA-jcjw-58rv-c452" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g46n-k3pp-t3a5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45752?format=api", "vulnerability_id": "VCID-ge49-hn25-eqba", "summary": "Incorrect Authorization\nKirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file (e.g. via a contact or comment form). Kirby sites are *not* affected if they don't allow write access for untrusted users or visitors.\n\nA field injection in a content storage implementation is a type of vulnerability that allows attackers with content write access to overwrite content fields that the site developer didn't intend to be modified. In a Kirby site this can be used to alter site content, break site behavior or inject malicious data or code. The exact security risk depends on the field type and usage.\n\nKirby stores content of the site, of pages, files and users in text files by default. The text files use Kirby's KirbyData format where each field is separated by newlines and a line with four dashes (`----`). When reading a KirbyData file, the affected code first removed the Unicode BOM sequence from the file contents and afterwards split the content into fields by the field separator.\n\nWhen writing to a KirbyData file, field separators in field data are escaped to prevent user input from interfering with the field structure. However this escaping could be tricked by including a Unicode BOM sequence in a field separator (e.g. `--\\xEF\\xBB\\xBF--`). When writing, this was not detected as a separator, but because the BOM was removed during reading, it could be abused by attackers to inject other field data into content files.\n\nBecause each field can only be defined once per content file, this vulnerability only affects fields in the content file that were defined above the vulnerable user-writable field or not at all. Fields that are defined below the vulnerable field override the injected field content and were therefore already protected.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected code to only remove the Unicode BOM sequence at the beginning of the file. This fixes this vulnerability both for newly written as well as for existing content files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38488", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00093", "scoring_system": "epss", "scoring_elements": "0.26151", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00093", "scoring_system": "epss", "scoring_elements": "0.26158", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38488" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/a1e0f81c799ddae1af91cf37216f8ded9cb93540", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/commit/a1e0f81c799ddae1af91cf37216f8ded9cb93540" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38488", "reference_id": "CVE-2023-38488", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38488" }, { "reference_url": "https://github.com/advisories/GHSA-x5mr-p6v4-wp93", "reference_id": "GHSA-x5mr-p6v4-wp93", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x5mr-p6v4-wp93" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x5mr-p6v4-wp93", "reference_id": "GHSA-x5mr-p6v4-wp93", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-17T13:01:01Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x5mr-p6v4-wp93" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/665391?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/66309?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/665393?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66310?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/665401?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66311?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66312?format=api", "purl": "pkg:composer/getkirby/cms@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.6" } ], "aliases": [ "CVE-2023-38488", "GHSA-x5mr-p6v4-wp93" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ge49-hn25-eqba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93545?format=api", "vulnerability_id": "VCID-h2gp-rqt7-ckdf", "summary": "Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions\n### TL;DR\n\nThis vulnerability affects all Kirby sites where users of a particular role have no permission to update user information (`user.update` or `users.update` permission is disabled). This can be due to configuration in the blueprint(s) of the acting users, via `options` in the blueprint(s) of the target users or via a combination of both settings.\n\nKirby sites are *not* affected if they intend all users of the site to be able to upload, replace or delete user avatars. The vulnerability can only be exploited by authenticated users.\n\n----\n\n### Introduction\n\nMissing authorization allows authenticated users to perform actions they are not intended to have access to.\n\nThe effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model using the `options` feature (for user models again in the user blueprints). The permissions and options together control the authorization of user actions.\n\nKirby provides the `user.update` and `users.update` permissions (among others) that control the authorization to update user information for the user's own data or the data of other users respectively. User files are separately gated by the `files.create`, `files.replace` and `files.delete` permissions (among others).\n\nIn affected releases, Kirby only checked the `files.create` and `files.delete` permissions during changes to user avatars. Even though avatars are an integral part of the user profile, they were not covered by the `user.update` and `users.update` permissions. This allowed users with just file permissions to create, replace or delete user avatars.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added additional permission checks for `user.update`/`users.update` when a user avatar is created, replaced or deleted. These permission checks apply in addition to the file permission checks (`files.create`, `files.replace` and `files.delete`). When a user avatar is replaced with a file of the same type, Kirby now consistently checks the `files.replace` permission instead of a combination of `files.create` and `files.delete`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42174", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00818", "published_at": "2026-06-06T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00815", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42174" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42174", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42174" }, { "reference_url": "https://github.com/advisories/GHSA-39cp-6679-8xv2", "reference_id": "GHSA-39cp-6679-8xv2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-39cp-6679-8xv2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" } ], "aliases": [ "CVE-2026-42174", "GHSA-39cp-6679-8xv2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h2gp-rqt7-ckdf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95203?format=api", "vulnerability_id": "VCID-hsgj-2c1x-cuhu", "summary": "Kirby CMS's read access to site, user and role information is not gated by permissions\n### TL;DR\n\nThis vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.\n\n**This vulnerability is of high severity for affected sites.**\n\nSites using Kirby are *not* affected if they intend all users of the site to be able to list and access the site model and all users and roles, including the content stored within these models. Write actions are *not* affected by this vulnerability as they were gated by permissions before.\n\n----\n\n### Introduction\n\nMissing authorization allows authenticated users to perform actions they are not intended to have access to.\n\nThe effects of missing authorization can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions.\n\nIn affected releases, Kirby did not provide permission settings that control the access to the site model as well as to users and user roles. If the site developer disabled all permissions via the wildcard `\"*\": false` setting, this only disabled the actions that were explicitly gated by existing permissions.\n\nTo be specific, the following permissions were missing in affected releases and have been added in the patches:\n\n- `site.access`\n- `user.access` and `users.access` (for the own user and other users respectively)\n- `user.list` and `users.list` (for the own user and other users respectively)\n\nAccess to role information such as the list of existing roles, their names and descriptions as well as their configured permissions were also not gated by user-based permissions.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, Kirby has added the missing permissions that are listed in the \"Impact\" section. The `user.access` and `users.access` permissions also take effect on the access to the user's own role and to other roles respectively.\n\n### Credits\n\nKirby thanks @HuajiHD for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42069", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07732", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07719", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42069" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42069", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42069" }, { "reference_url": "https://github.com/advisories/GHSA-2h7v-4372-f6x2", "reference_id": "GHSA-2h7v-4372-f6x2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2h7v-4372-f6x2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" } ], "aliases": [ "CVE-2026-42069", "GHSA-2h7v-4372-f6x2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hsgj-2c1x-cuhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45746?format=api", "vulnerability_id": "VCID-kfkm-1a5s-jyf9", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nKirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list. The attack requires user interaction by another user or visitor and cannot be automated.\n\nAn editor with write access to the Kirby Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including harmful content like `<script>` tags. The direct link to that file could be sent to other users or visitors of the site. If the victim opened that link in a browser where they are logged in to Kirby and the file had not been opened by anyone since the upload, Kirby would not be able to send the correct MIME content type, instead falling back to `text/html`. The browser would then run the script, which could for example trigger requests to Kirby's API with the permissions of the victim.\n\nThe issue was caused by the underlying `Kirby\\Http\\Response::file()` method, which didn't have an explicit fallback if the MIME type could not be determined from the file extension. If you use this method in site or plugin code, these uses may be affected by the same vulnerability.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected method to use a fallback MIME type of `text/plain` and set the `X-Content-Type-Options: nosniff` header if the MIME type of the file is unknown.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38491", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40476", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40474", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38491" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/2f06ba1c026bc91cb0702bc16b7d505642536d15", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/commit/2f06ba1c026bc91cb0702bc16b7d505642536d15" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38491", "reference_id": "CVE-2023-38491", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38491" }, { "reference_url": "https://github.com/advisories/GHSA-8fv7-wq38-f5c9", "reference_id": "GHSA-8fv7-wq38-f5c9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8fv7-wq38-f5c9" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-8fv7-wq38-f5c9", "reference_id": "GHSA-8fv7-wq38-f5c9", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:40:04Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-8fv7-wq38-f5c9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/665391?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/66309?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/665393?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66310?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/665401?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66311?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66312?format=api", "purl": "pkg:composer/getkirby/cms@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.6" } ], "aliases": [ "CVE-2023-38491", "GHSA-8fv7-wq38-f5c9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kfkm-1a5s-jyf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89085?format=api", "vulnerability_id": "VCID-mhvv-3qdd-qfax", "summary": "Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection\n### TL;DR\n\nThis vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users (`pages.create`, `files.create` or `users.create` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the model blueprint(s) or via a combination of both settings.\n\n**This vulnerability is of high severity for affected sites.**\n\nDevelopers' Kirby sites are *not* affected if they intend all users of their site to be able to create pages, files and users. The vulnerability can only be exploited by authenticated users.\n\n----\n\n### Introduction\n\nAn authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation.\n\nThe effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information.\n\n### Impact\n\nKirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions.\n\nKirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. In affected releases, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.\n\n### Credits\n\nKirby thanks @offset for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41325", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12838", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12833", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41325" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41325", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41325" }, { "reference_url": "https://github.com/advisories/GHSA-6gqr-mx34-wh8r", "reference_id": "GHSA-6gqr-mx34-wh8r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6gqr-mx34-wh8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" } ], "aliases": [ "CVE-2026-41325", "GHSA-6gqr-mx34-wh8r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mhvv-3qdd-qfax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89623?format=api", "vulnerability_id": "VCID-nt5x-k3wp-u3hu", "summary": "Kirby has XML injection in its XML creator toolkit\n### TL;DR\n\nThis vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::encode($string, 'xml')`) or the `Xml::create()`, `Xml::tag()` or `Xml::value()` method(s) in site or plugin code. The Kirby core does not use any of the affected methods.\n\nIf consumers use an affected method and cannot rule out input to these methods controlled by an attacker, Kirby strongly recommends that they update to a patch release.\n\n----\n\n### Introduction\n\nXML strings contain structured data in tags and attributes. Depending on the used XML schema, this data can carry specific meaning that can lead to actions in other systems that parse and act on the XML data. Tags and attributes are detected based on their specific syntax, which includes characters such as `<`, `>`, `\"`, and `&`. If these characters are to be used verbatim in text within the XML string, they can be escaped using a `<![CDATA[ ]]>` block.\n\nXML injection is an attack on a system generating or parsing XML files. By injecting special characters into input data, XML output with a malicious meaning could be generated by a vulnerable system.\n\n### Impact\n\nKirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However it was possible to trick this check into allowing values that only *contained* a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection.\n\nThe `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`).\n\nBoth the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible.\n\nKirby sites that don't use XML generation in site or plugin code are *not* affected.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.\n\n### Credits\n\nKirby thanks to Patrick Falb (@dapatrese) at [FORMER 03](https://former03.de/) for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13425", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13419", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32870" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.9.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.9.0" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/5.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/5.4.0" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32870", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32870" }, { "reference_url": "https://github.com/advisories/GHSA-9wfj-c55w-j9qr", "reference_id": "GHSA-9wfj-c55w-j9qr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9wfj-c55w-j9qr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110110?format=api", "purl": "pkg:composer/getkirby/cms@4.9.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/818240?format=api", "purl": "pkg:composer/getkirby/cms@5.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/110111?format=api", "purl": "pkg:composer/getkirby/cms@5.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cfu-ugc9-3qgb" }, { "vulnerability": "VCID-9svs-tvxm-bfe5" }, { "vulnerability": "VCID-akyk-rcp8-t7af" }, { "vulnerability": "VCID-n16k-n4g1-bqe4" }, { "vulnerability": "VCID-n212-9fuw-bbbn" }, { "vulnerability": "VCID-pvx9-24pb-bba7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/925613?format=api", "purl": "pkg:composer/getkirby/cms@6.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1" } ], "aliases": [ "CVE-2026-32870", "GHSA-9wfj-c55w-j9qr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nt5x-k3wp-u3hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45741?format=api", "vulnerability_id": "VCID-pnk6-vjcp-u7aa", "summary": "Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user.\n\nInsufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby does not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38489", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.43158", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00207", "scoring_system": "epss", "scoring_elements": "0.4315", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38489" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38489", "reference_id": "CVE-2023-38489", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38489" }, { "reference_url": "https://github.com/advisories/GHSA-5mvj-rvp8-rf45", "reference_id": "GHSA-5mvj-rvp8-rf45", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5mvj-rvp8-rf45" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45", "reference_id": "GHSA-5mvj-rvp8-rf45", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/665391?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/66309?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/665393?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66310?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/665401?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66311?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66312?format=api", "purl": "pkg:composer/getkirby/cms@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.6" } ], "aliases": [ "CVE-2023-38489", "GHSA-5mvj-rvp8-rf45" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pnk6-vjcp-u7aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47108?format=api", "vulnerability_id": "VCID-s33b-8zp5-yyaa", "summary": "Duplicate Advisory: Unrestricted file upload of user avatar images\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xrvh-rvc4-5m43. This link is maintained to preserve external references.\n\n## Original Description\nAn arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file.", "references": [ { "reference_url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26483", "reference_id": "CVE-2024-26483", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26483" }, { "reference_url": "https://github.com/advisories/GHSA-fr72-9665-w3gr", "reference_id": "GHSA-fr72-9665-w3gr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fr72-9665-w3gr" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43", "reference_id": "GHSA-xrvh-rvc4-5m43", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69109?format=api", "purl": "pkg:composer/getkirby/cms@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.1.1" } ], "aliases": [ "GHSA-fr72-9665-w3gr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s33b-8zp5-yyaa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47117?format=api", "vulnerability_id": "VCID-sbfh-v9uy-u3cp", "summary": "Kirby vulnerable to unrestricted file upload of user avatar images\n### TL;DR\n\nThis vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.\n\nThe attack requires user interaction by another user or visitor and *cannot* be automated.\n\n----\n\n### Introduction\n\nUnrestricted upload of files with a dangerous type is a type of vulnerability that allows to circumvent expectations and protections in the server setup or backend code. Uploaded files are not checked for their compliance with the intended purpose of the upload target, which can introduce secondary attack vectors.\n\nWhile the vulnerability described here does *not* allow critical attacks like remote code execution (RCE), it can still be abused to upload unexpected file types that could for example make it possible to perform cross-site scripting (XSS) attacks.\n\n### Impact\n\nUsers with Panel access can upload a user avatar in their own account view. This avatar is intended to be an image, however the file type or file extension was not validated on the backend. This effectively allowed to upload many types of files that would then be stored with the filename `profile` and the provided file extension.\n\nWhile the upload is protected against dangerous file types such as HTML files or executable PHP files, this could be abused to upload unexpected files such as PDFs that would then be available via a direct link. These links could be shared to other users.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.6.6.5](https://github.com/getkirby/kirby/releases/tag/3.6.6.5), [Kirby 3.7.5.4](https://github.com/getkirby/kirby/releases/tag/3.7.5.4), [Kirby 3.8.4.3](https://github.com/getkirby/kirby/releases/tag/3.8.4.3), [Kirby 3.9.8.1](https://github.com/getkirby/kirby/releases/tag/3.9.8.1), [Kirby 3.10.0.1](https://github.com/getkirby/kirby/releases/tag/3.10.0.1), and [Kirby 4.1.1](https://github.com/getkirby/kirby/releases/tag/4.1.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added validations that prevent any files that don't have an image file extension or MIME type from being uploaded as a user avatar.\n\n### Credits\n\nThanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26483", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36354", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00157", "scoring_system": "epss", "scoring_elements": "0.36345", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26483" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-22T16:29:31Z/" } ], "url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26483", "reference_id": "CVE-2024-26483", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26483" }, { "reference_url": "https://github.com/advisories/GHSA-xrvh-rvc4-5m43", "reference_id": "GHSA-xrvh-rvc4-5m43", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xrvh-rvc4-5m43" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43", "reference_id": "GHSA-xrvh-rvc4-5m43", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-22T16:29:31Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69129?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B5" }, { "url": "http://public2.vulnerablecode.io/api/packages/720322?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/69130?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/720323?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69131?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/720324?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/69132?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/720325?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/720326?format=api", "purl": "pkg:composer/getkirby/cms@3.10.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69133?format=api", "purl": "pkg:composer/getkirby/cms@3.10.0%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.0%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69109?format=api", "purl": "pkg:composer/getkirby/cms@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.1.1" } ], "aliases": [ "CVE-2024-26483", "GHSA-xrvh-rvc4-5m43" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sbfh-v9uy-u3cp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57284?format=api", "vulnerability_id": "VCID-seme-4ery-6qbp", "summary": "Kirby vulnerable to path traversal in the router for PHP's built-in server\nThe missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation.\n\nThe vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists.\n\nBecause Kirby's router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30207", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00593", "scoring_system": "epss", "scoring_elements": "0.69677", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00593", "scoring_system": "epss", "scoring_elements": "0.69669", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30207" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/3ebc9ad3f5adcbd4838ce60219f1c9a561231235", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/3ebc9ad3f5adcbd4838ce60219f1c9a561231235" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:36:16Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:36:16Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.7.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:36:16Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.7.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30207", "reference_id": "CVE-2025-30207", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30207" }, { "reference_url": "https://github.com/advisories/GHSA-9p3p-w5jf-8xxg", "reference_id": "GHSA-9p3p-w5jf-8xxg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9p3p-w5jf-8xxg" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg", "reference_id": "GHSA-9p3p-w5jf-8xxg", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:36:16Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/818228?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/85114?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/818230?format=api", "purl": "pkg:composer/getkirby/cms@3.10.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/85115?format=api", "purl": "pkg:composer/getkirby/cms@3.10.1%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.1%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/85116?format=api", "purl": "pkg:composer/getkirby/cms@4.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/818240?format=api", "purl": "pkg:composer/getkirby/cms@5.0.0-alpha.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1" } ], "aliases": [ "CVE-2025-30207", "GHSA-9p3p-w5jf-8xxg" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-seme-4ery-6qbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45744?format=api", "vulnerability_id": "VCID-t7he-gjus-hyfm", "summary": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')\nKirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods.\n\nXML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF).\n\nKirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38490", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.20373", "scoring_system": "epss", "scoring_elements": "0.95659", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.20373", "scoring_system": "epss", "scoring_elements": "0.95655", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38490" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38490", "reference_id": "CVE-2023-38490", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38490" }, { "reference_url": "https://github.com/advisories/GHSA-q386-w6fg-gmgp", "reference_id": "GHSA-q386-w6fg-gmgp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-q386-w6fg-gmgp" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp", "reference_id": "GHSA-q386-w6fg-gmgp", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/665391?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/66309?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/665393?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66310?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/665401?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66311?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66312?format=api", "purl": "pkg:composer/getkirby/cms@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.6" } ], "aliases": [ "CVE-2023-38490", "GHSA-q386-w6fg-gmgp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t7he-gjus-hyfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47104?format=api", "vulnerability_id": "VCID-umm8-7cx6-4fcu", "summary": "Kirby CMS HTML injection vulnerability\nAn HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26482", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10822", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10833", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26482" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-02-22T16:59:02Z/" } ], "url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26482", "reference_id": "CVE-2024-26482", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26482" }, { "reference_url": "https://github.com/advisories/GHSA-qv4x-v2v4-f8p9", "reference_id": "GHSA-qv4x-v2v4-f8p9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qv4x-v2v4-f8p9" } ], "fixed_packages": [], "aliases": [ "CVE-2024-26482", "GHSA-qv4x-v2v4-f8p9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-umm8-7cx6-4fcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109959?format=api", "vulnerability_id": "VCID-vzgw-9wuj-j3fd", "summary": "Cross-site scripting from content entered in the tags and multiselect fields\n### Introduction\n\nCross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.\n\nSuch vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\n### Impact\n\nThe tags and multiselect fields allow to select tags from an autocompleted list. The tags field also allows to enter new tags or edit existing tags. Kirby already handled escaping of the autocompleted tags, but unfortunately the Panel used HTML rendering for new or edited tags as well as for custom tags from the content file.\n\nThis allowed **attackers with Panel access** to store malicious HTML code in a tag. The browser of the victim who visited the modified page in the Panel will then have rendered this malicious HTML code.\n\nIt also allowed **self-inflicted XSS attacks** in the tags field (meaning that malicious code is executed in the browser of the user who entered it). This could be used in social engineering attacks where a victim is convinced by an attacker to enter malicious code into a tags field.\n\n**Visitors without Panel access** could *only* use this attack vector if your site allows changing the content of a tags or multiselect field from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.\n\nYou are also *not* affected by these vulnerabilities if your site doesn't have untrustworthy users with Panel access or a way to modify field values from the frontend or if you don't use the tags or multiselect fields.\n\n### Patches\n\nThe problems have been patched in [Kirby 3.5.8.1](https://github.com/getkirby/kirby/releases/tag/3.5.8.1), [Kirby 3.6.6.1](https://github.com/getkirby/kirby/releases/tag/3.6.6.1) and [Kirby 3.7.4](https://github.com/getkirby/kirby/releases/tag/3.7.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerabilities.\n\n**Note:** The fixes for these vulnerabilities have the side effect that values in the tags and multiselect fields that come from dynamic options are displayed with double escaping (e.g. the `&` character is displayed as `&`). In the fix for Kirby 3.5, every value in the tags field is displayed with double escaping when dynamic options are enabled, while dynamic options themselves are displayed with triple escaping. We will fix the double/triple escaping issues with a refactoring of the options fields (tags, multiselect, checkboxes, radio, select and toggles) in Kirby 3.8.\n\n### Workarounds\n\nWe recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by disabling the tags and multiselect fields. This can be done by uncommenting these fields from all your blueprints.", "references": [ { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-rv3r-vqjj-8c76", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-rv3r-vqjj-8c76" }, { "reference_url": "https://github.com/advisories/GHSA-rv3r-vqjj-8c76", "reference_id": "GHSA-rv3r-vqjj-8c76", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rv3r-vqjj-8c76" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/604345?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-ypuf-fpfc-b3bg" }, { "vulnerability": "VCID-z6y7-rubq-8bdh" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/148070?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/148071?format=api", "purl": "pkg:composer/getkirby/cms@3.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-ypuf-fpfc-b3bg" }, { "vulnerability": "VCID-z6y7-rubq-8bdh" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.4" } ], "aliases": [ "GHSA-rv3r-vqjj-8c76", "GMS-2022-3697" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vzgw-9wuj-j3fd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55747?format=api", "vulnerability_id": "VCID-w47w-xzfq-7bdk", "summary": "Kirby has insufficient permission checks in the language settings\nThe missing permission checks allowed attackers with Panel access to manipulate the language definitions.\n\nThe language definitions are at the core of multi-language content in Kirby. Unauthorized modifications with malicious intent can cause significant damage, for example:\n\n- If the `languages` option was enabled but no language exists, creating the first language will switch Kirby to multi-language mode.\n- Deleting an existing language will lead to content loss of all translated content in that language. Deleting the last language will switch Kirby to single-language mode.\n- Updating a language allows to change the metadata including the language slug (used in page URLs) and language variables. It also allows to change the default language, which will cause Kirby to use the new default language's content as a fallback for non-existing translations.\n\nDepending on the site code, the result of such actions can cause loss of site availability (e.g. error messages in the site frontend) or integrity (due to changed URLs or removed translations).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41964", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00379", "scoring_system": "epss", "scoring_elements": "0.59748", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00379", "scoring_system": "epss", "scoring_elements": "0.59745", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41964" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/1dbc9215c97a5c22dc7f34a4e3a64d19e1eac151", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/1dbc9215c97a5c22dc7f34a4e3a64d19e1eac151" }, { "reference_url": "https://github.com/getkirby/kirby/commit/38636655b054e820f66c3b717c55a9d60fe6400a", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/38636655b054e820f66c3b717c55a9d60fe6400a" }, { "reference_url": "https://github.com/getkirby/kirby/commit/83fce501759782cf843b6f1d9293a7c7167e69af", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/83fce501759782cf843b6f1d9293a7c7167e69af" }, { "reference_url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T16:35:56Z/" } ], "url": "https://github.com/getkirby/kirby/commit/ab95d172667c3cd529917c2bc94d3c7969706d23" }, { "reference_url": "https://github.com/getkirby/kirby/commit/af9b0a58dea63effab85525ae217faa1f5ded423", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/af9b0a58dea63effab85525ae217faa1f5ded423" }, { "reference_url": "https://github.com/getkirby/kirby/commit/e647a177c75636ef4824662b2ce00d8e5c3a8406", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/commit/e647a177c75636ef4824662b2ce00d8e5c3a8406" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.6" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.5" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.4" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/4.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/4.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41964", "reference_id": "CVE-2024-41964", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41964" }, { "reference_url": "https://github.com/advisories/GHSA-jm9m-rqr3-wfmh", "reference_id": "GHSA-jm9m-rqr3-wfmh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jm9m-rqr3-wfmh" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh", "reference_id": "GHSA-jm9m-rqr3-wfmh", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T16:35:56Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/758444?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/82491?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B6" }, { "url": "http://public2.vulnerablecode.io/api/packages/758445?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/82492?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B5" }, { "url": "http://public2.vulnerablecode.io/api/packages/758446?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/82493?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/758447?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/82494?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/82495?format=api", "purl": "pkg:composer/getkirby/cms@3.10.1%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.1%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/719071?format=api", "purl": "pkg:composer/getkirby/cms@4.0.0-alpha.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.0.0-alpha.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/82496?format=api", "purl": "pkg:composer/getkirby/cms@4.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/758452?format=api", "purl": "pkg:composer/getkirby/cms@4.4.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.4.0-rc.1" } ], "aliases": [ "CVE-2024-41964", "GHSA-jm9m-rqr3-wfmh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w47w-xzfq-7bdk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45739?format=api", "vulnerability_id": "VCID-w4e7-nn14-77hf", "summary": "Allocation of Resources Without Limits or Throttling\nKirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities.\n\nKirby's authentication endpoint does not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour.\n\nThe problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38492", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32107", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32138", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38492" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/commit/0e10ce3b0c2b88656564b8ff518ddc99136ac43e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/commit/0e10ce3b0c2b88656564b8ff518ddc99136ac43e" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.3" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.4.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.9.6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38492", "reference_id": "CVE-2023-38492", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38492" }, { "reference_url": "https://github.com/advisories/GHSA-3v6j-v3qc-cxff", "reference_id": "GHSA-3v6j-v3qc-cxff", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3v6j-v3qc-cxff" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-3v6j-v3qc-cxff", "reference_id": "GHSA-3v6j-v3qc-cxff", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-22T20:18:39Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-3v6j-v3qc-cxff" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/665391?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/66309?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/665393?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/66310?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/665401?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66311?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/66312?format=api", "purl": "pkg:composer/getkirby/cms@3.9.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.6" } ], "aliases": [ "CVE-2023-38492", "GHSA-3v6j-v3qc-cxff" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w4e7-nn14-77hf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47124?format=api", "vulnerability_id": "VCID-w8k5-mcu9-zuh3", "summary": "Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field\n### TL;DR\n\nThis vulnerability affects Kirby sites that use the [URL field](https://getkirby.com/docs/reference/panel/fields/url) in any blueprint.\n\nA successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.\n\nThe vulnerability is also limited to self-XSS and *cannot* directly affect other users or visitors of the site.\n\n----\n\n### Introduction\n\nCross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.\n\nSelf cross-site scripting (self-XSS, also called reflected XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields.\n\nSuch vulnerabilities are critical as they allow attackers to gain access to the system or to escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\n### Impact\n\nThe URL field allows users to open the entered link in a new tab by clicking the link icon inside the field. This can be used to quickly verify whether the entered URL is functional and correct.\n\nIn affected versions, Kirby copied the entered URL into the link target of that link button without validating or sanitizing the link. This could be abused by attackers with a `javascript:` URL that would then be executed in the user's context when the link button was clicked with <kbd>Ctrl+Click</kbd>/<kbd>Cmd+Click</kbd>.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.6.6.5](https://github.com/getkirby/kirby/releases/tag/3.6.6.5), [Kirby 3.7.5.4](https://github.com/getkirby/kirby/releases/tag/3.7.5.4), [Kirby 3.8.4.3](https://github.com/getkirby/kirby/releases/tag/3.8.4.3), [Kirby 3.9.8.1](https://github.com/getkirby/kirby/releases/tag/3.9.8.1), [Kirby 3.10.0.1](https://github.com/getkirby/kirby/releases/tag/3.10.0.1), and [Kirby 4.1.1](https://github.com/getkirby/kirby/releases/tag/4.1.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have changed the URL field to only make the link button clickable if the entered URL is valid and safe.\n\n### Credits\n\nThanks to Natwara Archeepsamooth (@PlyNatwara) for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26481", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2699", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26998", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26481" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:20:43Z/" } ], "url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26481", "reference_id": "CVE-2024-26481", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26481" }, { "reference_url": "https://github.com/advisories/GHSA-57f2-8p89-66x6", "reference_id": "GHSA-57f2-8p89-66x6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-57f2-8p89-66x6" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6", "reference_id": "GHSA-57f2-8p89-66x6", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:20:43Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69129?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B5" }, { "url": "http://public2.vulnerablecode.io/api/packages/720322?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/69130?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/720323?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69131?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4%2B3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/720324?format=api", "purl": "pkg:composer/getkirby/cms@3.8.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.4.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/69132?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8%2B1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/720325?format=api", "purl": "pkg:composer/getkirby/cms@3.9.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.9.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/720326?format=api", "purl": "pkg:composer/getkirby/cms@3.10.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69133?format=api", "purl": "pkg:composer/getkirby/cms@3.10.0%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.10.0%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69109?format=api", "purl": "pkg:composer/getkirby/cms@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.1.1" } ], "aliases": [ "CVE-2024-26481", "GHSA-57f2-8p89-66x6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w8k5-mcu9-zuh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108785?format=api", "vulnerability_id": "VCID-ypuf-fpfc-b3bg", "summary": "Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms\n### TL;DR\n\nThis vulnerability only affects you if you are using the `code` or `password-reset` auth method with the `auth.methods` option. It can only be successfully exploited under server configuration conditions outside of the attacker's control.\n\n----\n\n### Introduction\n\nUser enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.\n\nUser enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.\n\n### Impact\n\nUnder normal circumstances, entering an invalid email address results in a \"fake\" login code form that looks exactly like the one of an existing user (unless debugging is enabled). However, the code that handles the creation of a code challenge (for code-based login or password reset) didn't catch errors that occurred while the challenge request was processed:\n\n- If the challenge itself runs into an error (e.g. if the email could not be sent), attackers could tell existing users (where the challenge code is called) from non-existing users (where the challenge code is not called and therefore does not output an error).\n- If you are using the `user.login:failed` hook and any exception is thrown within the hook, attackers could see that the user does not exist.\n\nAs long as no error occurs during challenge creation and during the processing of the `user.login:failed` hook, your Kirby sites are *not* affected by this vulnerability.\n\n### Patches\n\nThe problems have been patched in [Kirby 3.5.8.2](https://github.com/getkirby/kirby/releases/tag/3.5.8.2), [Kirby 3.6.6.2](https://github.com/getkirby/kirby/releases/tag/3.6.6.2), [Kirby 3.7.5.1](https://github.com/getkirby/kirby/releases/tag/3.7.5.1) and [Kirby 3.8.1](https://github.com/getkirby/kirby/releases/tag/3.8.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nAll of the mentioned releases contain two patches for this vulnerability:\n\n- All errors that occur during the creation of an auth challenge (code-based login or password reset) are swallowed by the backend and only displayed to the user if debugging is enabled.\n- We added a new `auth.debug` option that can be enabled separately from the `debug` option. If disabled, auth errors are only printed to the PHP error log. This ensures that security-critical errors are only displayed if they are really necessary for debugging.\n\n### Workarounds\n\nWe recommend to update to one of the patch releases. If you cannot update immediately, you can work around the issue by setting the `auth.methods` option to `password`, which disables the code-based login and password reset forms.\n\nHowever please note that your site will still be vulnerable against [another user enumeration issue](https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f) that was also fixed in the same patch releases.\n\n### Credits\n\nThanks to [Florian Merz](mailto:florian@hatchery.io) (@florianmrz) of [hatchery.io](https://www.hatchery.io/) for responsibly reporting the identified issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39314", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.4262", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42609", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42535", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39314" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.1" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:56:06Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39314", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39314" }, { "reference_url": "https://github.com/advisories/GHSA-43qq-qw4x-28f8", "reference_id": "GHSA-43qq-qw4x-28f8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-43qq-qw4x-28f8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/144573?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/615315?format=api", "purl": "pkg:composer/getkirby/cms@3.7.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.0-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/144574?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/615317?format=api", "purl": "pkg:composer/getkirby/cms@3.8.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.0-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/615318?format=api", "purl": "pkg:composer/getkirby/cms@3.8.1-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.1-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/144575?format=api", "purl": "pkg:composer/getkirby/cms@3.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.1" } ], "aliases": [ "CVE-2022-39314", "GHSA-43qq-qw4x-28f8", "GMS-2022-5560" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ypuf-fpfc-b3bg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108842?format=api", "vulnerability_id": "VCID-z6y7-rubq-8bdh", "summary": "Kirby CMS vulnerable to user enumeration in the brute force protection\n### TL;DR\n\nThis vulnerability affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be exploited for targeted attacks because the attack does not scale to brute force.\n\n----\n\n### Introduction\n\nUser enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company.\n\nUser enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user.\n\n### Impact\n\nKirby comes with a built-in brute force protection. By default, it will prevent further login attempts after 10 failed logins from a single IP address or of a single existing user. After every failed login attempt, Kirby inserts a random delay between one millisecond and two seconds to make automated attacks harder and to avoid leaking whether the user exists. Unfortunately, this random delay was not inserted after the brute force limit was reached.\n\nBecause Kirby only tracks failed login attempts per email address for existing users but always tracks failed login attempts per IP address, this behavior could be abused by attackers for user enumeration. For this to work, an attacker would need to create login requests beyond the trials limit (which is 10 by default) from two or more IP addresses. After the trials limit was reached, the login form immediately blocked further requests for existing users, but not for invalid users.\n\nThis exploit does not scale to brute force attacks because of the delay during the first 10 requests per user, the faint difference between the responses for valid and invalid users and the fact that code-based logins would send an email for every login attempt, which makes the attack easy to spot. The vulnerability is therefore only relevant for targeted attacks.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.5.8.2](https://github.com/getkirby/kirby/releases/tag/3.5.8.2), [Kirby 3.6.6.2](https://github.com/getkirby/kirby/releases/tag/3.6.6.2), [Kirby 3.7.5.1](https://github.com/getkirby/kirby/releases/tag/3.7.5.1) and [Kirby 3.8.1](https://github.com/getkirby/kirby/releases/tag/3.8.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39315", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00463", "scoring_system": "epss", "scoring_elements": "0.64693", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00463", "scoring_system": "epss", "scoring_elements": "0.64684", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00463", "scoring_system": "epss", "scoring_elements": "0.64643", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39315" }, { "reference_url": "https://github.com/getkirby/kirby", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:49Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.5.8.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:49Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.6.6.2" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:49Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.7.5.1" }, { "reference_url": "https://github.com/getkirby/kirby/releases/tag/3.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:49Z/" } ], "url": "https://github.com/getkirby/kirby/releases/tag/3.8.1" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:49:49Z/" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39315", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39315" }, { "reference_url": "https://github.com/advisories/GHSA-c27j-76xg-6x4f", "reference_id": "GHSA-c27j-76xg-6x4f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c27j-76xg-6x4f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/144573?format=api", "purl": "pkg:composer/getkirby/cms@3.6.6%2B2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.6%252B2" }, { "url": "http://public2.vulnerablecode.io/api/packages/615315?format=api", "purl": "pkg:composer/getkirby/cms@3.7.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.0-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/144574?format=api", "purl": "pkg:composer/getkirby/cms@3.7.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.7.5%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/615317?format=api", "purl": "pkg:composer/getkirby/cms@3.8.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.0-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/615318?format=api", "purl": "pkg:composer/getkirby/cms@3.8.1-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.1-rc.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/144575?format=api", "purl": "pkg:composer/getkirby/cms@3.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-ge49-hn25-eqba" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-kfkm-1a5s-jyf9" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-pnk6-vjcp-u7aa" }, { "vulnerability": "VCID-s33b-8zp5-yyaa" }, { "vulnerability": "VCID-sbfh-v9uy-u3cp" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-t7he-gjus-hyfm" }, { "vulnerability": "VCID-umm8-7cx6-4fcu" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" }, { "vulnerability": "VCID-w4e7-nn14-77hf" }, { "vulnerability": "VCID-w8k5-mcu9-zuh3" }, { "vulnerability": "VCID-zakx-qtwy-gbba" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.8.1" } ], "aliases": [ "CVE-2022-39315", "GHSA-c27j-76xg-6x4f", "GMS-2022-5561" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z6y7-rubq-8bdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47102?format=api", "vulnerability_id": "VCID-zakx-qtwy-gbba", "summary": "Duplicate Advisory: Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field\n## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-57f2-8p89-66x6. This link is maintained to preserve external references.\n\n## Original Description\nKirby CMS v4.1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the URL parameter.", "references": [ { "reference_url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Self-Cross-Site-Scripting-d877183d20af49f8a8f58554bc06d51c?pvs=4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26481", "reference_id": "CVE-2024-26481", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26481" }, { "reference_url": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6", "reference_id": "GHSA-57f2-8p89-66x6", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6" }, { "reference_url": "https://github.com/advisories/GHSA-w879-mxj5-c3wf", "reference_id": "GHSA-w879-mxj5-c3wf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w879-mxj5-c3wf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69109?format=api", "purl": "pkg:composer/getkirby/cms@4.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1zg8-cndr-73hk" }, { "vulnerability": "VCID-4wcn-6ujb-tuhr" }, { "vulnerability": "VCID-8a1t-g8pv-4fcb" }, { "vulnerability": "VCID-e9gx-3frn-gfeu" }, { "vulnerability": "VCID-g46n-k3pp-t3a5" }, { "vulnerability": "VCID-h2gp-rqt7-ckdf" }, { "vulnerability": "VCID-hsgj-2c1x-cuhu" }, { "vulnerability": "VCID-mhvv-3qdd-qfax" }, { "vulnerability": "VCID-nt5x-k3wp-u3hu" }, { "vulnerability": "VCID-seme-4ery-6qbp" }, { "vulnerability": "VCID-w47w-xzfq-7bdk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.1.1" } ], "aliases": [ "GHSA-w879-mxj5-c3wf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zakx-qtwy-gbba" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@3.6.3" }