{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","type":"composer","namespace":"getkirby","name":"cms","version":"5.4.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.4.1","latest_non_vulnerable_version":"6.0.0-alpha.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213032?format=json","vulnerability_id":"VCID-5acg-5t6t-5ybv","summary":"Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44177","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33309","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38685","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38696","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44177"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-9hx7-c53c-v6x8","reference_id":"GHSA-9hx7-c53c-v6x8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9hx7-c53c-v6x8"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8","reference_id":"GHSA-9hx7-c53c-v6x8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-44177","GHSA-9hx7-c53c-v6x8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5acg-5t6t-5ybv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213031?format=json","vulnerability_id":"VCID-jkcv-nc7m-j3dp","summary":"Kirby CMS's `pages.access` permission is not checked during rendering of page drafts","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44176","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10093","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10083","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10099","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44176"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-2xw4-v2wx-hqq9","reference_id":"GHSA-2xw4-v2wx-hqq9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xw4-v2wx-hqq9"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9","reference_id":"GHSA-2xw4-v2wx-hqq9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-44176","GHSA-2xw4-v2wx-hqq9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jkcv-nc7m-j3dp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213030?format=json","vulnerability_id":"VCID-ngz6-fm9j-4ucy","summary":"Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44175","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12414","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12402","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12423","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44175"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-5fhx-9q32-q257","reference_id":"GHSA-5fhx-9q32-q257","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fhx-9q32-q257"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257","reference_id":"GHSA-5fhx-9q32-q257","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-44175","GHSA-5fhx-9q32-q257"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ngz6-fm9j-4ucy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213047?format=json","vulnerability_id":"VCID-qbq9-a8cw-5ugu","summary":"Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45334","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10093","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10083","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10099","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45334"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-39vq-49qm-r2mc","reference_id":"GHSA-39vq-49qm-r2mc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39vq-49qm-r2mc"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc","reference_id":"GHSA-39vq-49qm-r2mc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-45334","GHSA-39vq-49qm-r2mc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qbq9-a8cw-5ugu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213029?format=json","vulnerability_id":"VCID-xz7d-pny6-gkf7","summary":"Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44174","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21785","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21771","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21797","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44174"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-86rh-h242-j8xp","reference_id":"GHSA-86rh-h242-j8xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86rh-h242-j8xp"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp","reference_id":"GHSA-86rh-h242-j8xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-44174","GHSA-86rh-h242-j8xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xz7d-pny6-gkf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213049?format=json","vulnerability_id":"VCID-zuh5-yybj-h7er","summary":"Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45368","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19678","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19674","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19699","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45368"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"},{"reference_url":"https://github.com/advisories/GHSA-qvjf-922g-pj44","reference_id":"GHSA-qvjf-922g-pj44","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvjf-922g-pj44"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44","reference_id":"GHSA-qvjf-922g-pj44","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41523?format=json","purl":"pkg:composer/getkirby/cms@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.1"}],"aliases":["CVE-2026-45368","GHSA-qvjf-922g-pj44"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zuh5-yybj-h7er"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70517?format=json","vulnerability_id":"VCID-1425-ev7t-vqfg","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42051","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1047","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10444","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10467","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10415","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42051"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42051","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42051"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-x68m-c7jf-2572","reference_id":"GHSA-x68m-c7jf-2572","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x68m-c7jf-2572"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572","reference_id":"GHSA-x68m-c7jf-2572","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:40:16Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}],"aliases":["CVE-2026-42051","GHSA-x68m-c7jf-2572"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1425-ev7t-vqfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84275?format=json","vulnerability_id":"VCID-88cy-kbt4-4qfq","summary":"Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40099","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08381","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08379","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08384","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08343","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40099"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40099"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-w942-j9r6-hr6r","reference_id":"GHSA-w942-j9r6-hr6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w942-j9r6-hr6r"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r","reference_id":"GHSA-w942-j9r6-hr6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/798088?format=json","purl":"pkg:composer/getkirby/cms@5.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906792?format=json","purl":"pkg:composer/getkirby/cms@6.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1"}],"aliases":["CVE-2026-40099","GHSA-w942-j9r6-hr6r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-88cy-kbt4-4qfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77550?format=json","vulnerability_id":"VCID-924u-ruz7-4ycw","summary":"Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32870","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13417","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.1351","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13534","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13537","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32870"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32870","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32870"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-9wfj-c55w-j9qr","reference_id":"GHSA-9wfj-c55w-j9qr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wfj-c55w-j9qr"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr","reference_id":"GHSA-9wfj-c55w-j9qr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/798088?format=json","purl":"pkg:composer/getkirby/cms@5.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906792?format=json","purl":"pkg:composer/getkirby/cms@6.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1"}],"aliases":["CVE-2026-32870","GHSA-9wfj-c55w-j9qr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-924u-ruz7-4ycw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80692?format=json","vulnerability_id":"VCID-9hqx-7awz-gkgk","summary":"Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. Kirby provides the `pages.create`, `files.create` and `users.create` permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via `options`. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the `options` during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected `options` could include `'create' => true`, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the `blueprint` property. This prevents the injection of dynamic blueprint configuration into the creation request.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41325","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12829","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12915","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12924","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12934","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41325"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41325","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41325"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-6gqr-mx34-wh8r","reference_id":"GHSA-6gqr-mx34-wh8r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6gqr-mx34-wh8r"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r","reference_id":"GHSA-6gqr-mx34-wh8r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-24T12:11:33Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}],"aliases":["CVE-2026-41325","GHSA-6gqr-mx34-wh8r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9hqx-7awz-gkgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75186?format=json","vulnerability_id":"VCID-apwy-kpv6-1bfv","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has updated the `Options` logic to no longer double-resolve queries in option values coming from `OptionsQuery` or `OptionsApi` sources. Kirby now only resolves queries that are directly configured in the blueprints.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34587","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10312","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1029","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10257","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10307","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34587"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34587","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34587"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-jcjw-58rv-c452","reference_id":"GHSA-jcjw-58rv-c452","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jcjw-58rv-c452"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452","reference_id":"GHSA-jcjw-58rv-c452","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-24T17:10:14Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/798088?format=json","purl":"pkg:composer/getkirby/cms@5.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/906792?format=json","purl":"pkg:composer/getkirby/cms@6.0.0-alpha.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@6.0.0-alpha.1"}],"aliases":["CVE-2026-34587","GHSA-jcjw-58rv-c452"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-apwy-kpv6-1bfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70388?format=json","vulnerability_id":"VCID-eu1n-h4bb-cbhk","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42137","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01428","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01443","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01436","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01424","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42137"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42137","reference_id":"CVE-2026-42137","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42137"},{"reference_url":"https://github.com/advisories/GHSA-85x2-r8xv-ww8c","reference_id":"GHSA-85x2-r8xv-ww8c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-85x2-r8xv-ww8c"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c","reference_id":"GHSA-85x2-r8xv-ww8c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T02:21:41Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}],"aliases":["CVE-2026-42137","GHSA-85x2-r8xv-ww8c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eu1n-h4bb-cbhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70214?format=json","vulnerability_id":"VCID-mykp-v2xy-kuh4","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42069","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09062","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.0905","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.0906","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09011","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42069"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42069","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42069"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-2h7v-4372-f6x2","reference_id":"GHSA-2h7v-4372-f6x2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2h7v-4372-f6x2"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2","reference_id":"GHSA-2h7v-4372-f6x2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:32:21Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}],"aliases":["CVE-2026-42069","GHSA-2h7v-4372-f6x2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mykp-v2xy-kuh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70565?format=json","vulnerability_id":"VCID-xjxr-1fjw-63ca","summary":"Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42174","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.01036","published_at":"2026-06-13T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.0104","published_at":"2026-06-14T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.0103","published_at":"2026-06-12T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.01032","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42174"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42174","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42174"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.9.0","reference_id":"4.9.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.0"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/5.4.0","reference_id":"5.4.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.0"},{"reference_url":"https://github.com/advisories/GHSA-39cp-6679-8xv2","reference_id":"GHSA-39cp-6679-8xv2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39cp-6679-8xv2"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2","reference_id":"GHSA-39cp-6679-8xv2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:41:35Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41520?format=json","purl":"pkg:composer/getkirby/cms@4.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@4.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/41522?format=json","purl":"pkg:composer/getkirby/cms@5.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5acg-5t6t-5ybv"},{"vulnerability":"VCID-jkcv-nc7m-j3dp"},{"vulnerability":"VCID-ngz6-fm9j-4ucy"},{"vulnerability":"VCID-qbq9-a8cw-5ugu"},{"vulnerability":"VCID-xz7d-pny6-gkf7"},{"vulnerability":"VCID-zuh5-yybj-h7er"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}],"aliases":["CVE-2026-42174","GHSA-39cp-6679-8xv2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xjxr-1fjw-63ca"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/cms@5.4.0"}