Search for packages
| purl | pkg:composer/getkirby/cms@3.5.7.1 |
| Next non-vulnerable version | 4.9.1 |
| Latest non-vulnerable version | 6.0.0-alpha.1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1425-ev7t-vqfg
Aliases: CVE-2026-42051 GHSA-x68m-c7jf-2572 |
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-1yr6-nypu-y7em
Aliases: CVE-2023-38488 GHSA-x5mr-p6v4-wp93 |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update a Kirby content file (e.g. via a contact or comment form). Kirby sites are *not* affected if they don't allow write access for untrusted users or visitors. A field injection in a content storage implementation is a type of vulnerability that allows attackers with content write access to overwrite content fields that the site developer didn't intend to be modified. In a Kirby site this can be used to alter site content, break site behavior or inject malicious data or code. The exact security risk depends on the field type and usage. Kirby stores content of the site, of pages, files and users in text files by default. The text files use Kirby's KirbyData format where each field is separated by newlines and a line with four dashes (`----`). When reading a KirbyData file, the affected code first removed the Unicode BOM sequence from the file contents and afterwards split the content into fields by the field separator. When writing to a KirbyData file, field separators in field data are escaped to prevent user input from interfering with the field structure. However this escaping could be tricked by including a Unicode BOM sequence in a field separator (e.g. `--\xEF\xBB\xBF--`). When writing, this was not detected as a separator, but because the BOM was removed during reading, it could be abused by attackers to inject other field data into content files. Because each field can only be defined once per content file, this vulnerability only affects fields in the content file that were defined above the vulnerable user-writable field or not at all. Fields that are defined below the vulnerable field override the injected field content and were therefore already protected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected code to only remove the Unicode BOM sequence at the beginning of the file. This fixes this vulnerability both for newly written as well as for existing content files. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-21ju-reqm-3fg5
Aliases: CVE-2024-26482 GHSA-qv4x-v2v4-f8p9 |
An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur. | There are no reported fixed by versions. |
|
VCID-4sqz-nyzx-57f5
Aliases: CVE-2025-30207 GHSA-9p3p-w5jf-8xxg |
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as Apache, nginx or Caddy) are not affected. A missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation. The vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists. Because Kirby's router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have updated the router to check if existing static files are within the document root. Requests to files outside the document root are treated as page requests of the error page and will no longer allow to determine whether the file exists or not. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5v41-4fe5-r7ag
Aliases: CVE-2023-38490 GHSA-q386-w6fg-gmgp |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are *not* affected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-717g-19zk-5kbk
Aliases: CVE-2022-36037 GHSA-3f89-869f-5w76 |
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. If bad actors gain access to your group of authenticated Panel users they can escalate their privileges via the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. The multiselect field allows selection of tags from an autocompleted list. Unfortunately, the Panel in Kirby 3.5 used HTML rendering for the raw option value. This allowed **attackers with influence on the options source** to store HTML code. The browser of the victim who visited a page with manipulated multiselect options in the Panel will then have rendered this malicious HTML code when the victim opened the autocomplete dropdown. Users are *not* affected by this vulnerability if you don't use the multiselect field or don't use it with options that can be manipulated by attackers. The problem has been patched in Kirby 3.5.8.1. |
Affected by 0 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-79q7-rtyq-73gy
Aliases: CVE-2023-38491 GHSA-8fv7-wq38-f5c9 |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to upload an arbitrary file to the content folder. Kirby sites are not affected if they don't allow file uploads for untrusted users or visitors or if the file extensions of uploaded files are limited to a fixed safe list. The attack requires user interaction by another user or visitor and cannot be automated. An editor with write access to the Kirby Panel could upload a file with an unknown file extension like `.xyz` that contains HTML code including harmful content like `<script>` tags. The direct link to that file could be sent to other users or visitors of the site. If the victim opened that link in a browser where they are logged in to Kirby and the file had not been opened by anyone since the upload, Kirby would not be able to send the correct MIME content type, instead falling back to `text/html`. The browser would then run the script, which could for example trigger requests to Kirby's API with the permissions of the victim. The issue was caused by the underlying `Kirby\Http\Response::file()` method, which didn't have an explicit fallback if the MIME type could not be determined from the file extension. If you use this method in site or plugin code, these uses may be affected by the same vulnerability. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have fixed the affected method to use a fallback MIME type of `text/plain` and set the `X-Content-Type-Options: nosniff` header if the MIME type of the file is unknown. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-88cy-kbt4-4qfq
Aliases: CVE-2026-40099 GHSA-w942-j9r6-hr6r |
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-924u-ruz7-4ycw
Aliases: CVE-2026-32870 GHSA-9wfj-c55w-j9qr |
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9hqx-7awz-gkgk
Aliases: CVE-2026-41325 GHSA-6gqr-mx34-wh8r |
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-apwy-kpv6-1bfv
Aliases: CVE-2026-34587 GHSA-jcjw-58rv-c452 |
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-eu1n-h4bb-cbhk
Aliases: CVE-2026-42137 GHSA-85x2-r8xv-ww8c |
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-gwwh-p6qp-dqaq
Aliases: CVE-2024-41964 GHSA-jm9m-rqr3-wfmh |
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-hdkp-2m1e-yyfp
Aliases: CVE-2024-26481 GHSA-57f2-8p89-66x6 |
Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. |
Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-hznq-ty2u-f7b7
Aliases: CVE-2021-41258 GHSA-cq58-r77c-5jjw |
Cross-site scripting (XSS) from image block content in the site frontend |
Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-j1ph-xzap-hbeb
Aliases: GHSA-fr72-9665-w3gr |
Duplicate Advisory: Unrestricted file upload of user avatar images |
Affected by 11 other vulnerabilities. |
|
VCID-kjq6-c4eb-9qfz
Aliases: GHSA-w879-mxj5-c3wf |
Duplicate Advisory: Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field |
Affected by 11 other vulnerabilities. |
|
VCID-m6s8-ff6x-tuf2
Aliases: GHSA-rv3r-vqjj-8c76 |
Cross-site scripting from content entered in the tags and multiselect fields |
Affected by 0 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-mykp-v2xy-kuh4
Aliases: CVE-2026-42069 GHSA-2h7v-4372-f6x2 |
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nc11-mjvd-kqdb
Aliases: CVE-2024-26483 GHSA-xrvh-rvc4-5m43 |
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file. |
Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-rpum-4vax-bbdf
Aliases: CVE-2023-38489 GHSA-5mvj-rvp8-rf45 |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby did not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-xjxr-1fjw-63ca
Aliases: CVE-2026-42174 GHSA-39cp-6679-8xv2 |
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-xkf7-rwtr-9bas
Aliases: CVE-2021-41252 GHSA-x7j7-qp7j-hw3q |
Cross-site scripting (XSS) from writer field content in the site frontend |
Affected by 23 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-yb1m-v3jp-5fap
Aliases: CVE-2025-31493 GHSA-x275-h9j4-7p4h |
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple string for the collection name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded. |
Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-z2ke-9m1h-5qhc
Aliases: CVE-2023-38492 GHSA-3v6j-v3qc-cxff |
Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's authentication endpoint did not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||