{"url":"http://public2.vulnerablecode.io/api/packages/577114?format=json","purl":"pkg:composer/getkirby/kirby@2.5.1","type":"composer","namespace":"getkirby","name":"kirby","version":"2.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43919?format=json","vulnerability_id":"VCID-ku2z-h6ua-qqc3","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nKirby v2.5.12 allows XSS by using the \"site files\" Add option to upload an SVG file.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16630","reference_id":"","reference_type":"","scores":[{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46586","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46568","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46634","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46635","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46614","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16630"},{"reference_url":"https://github.com/getkirby-v2/kirby","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby-v2/kirby"},{"reference_url":"https://web.archive.org/web/20201208015414/https://github.com/security-breachlock/CVE-2018-16630/blob/master/Kirby_Insecure%20file%20validation.pdf","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201208015414/https://github.com/security-breachlock/CVE-2018-16630/blob/master/Kirby_Insecure%20file%20validation.pdf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16630","reference_id":"CVE-2018-16630","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16630"},{"reference_url":"https://github.com/advisories/GHSA-3gq5-r59m-mmv2","reference_id":"GHSA-3gq5-r59m-mmv2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3gq5-r59m-mmv2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/577132?format=json","purl":"pkg:composer/getkirby/kirby@2.5.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-va9m-m83a-eyf6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/kirby@2.5.13"}],"aliases":["CVE-2018-16630","GHSA-3gq5-r59m-mmv2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ku2z-h6ua-qqc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57279?format=json","vulnerability_id":"VCID-va9m-m83a-eyf6","summary":"Kirby vulnerable to path traversal of snippet names in the `snippet()` helper\nThe missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed.\n\nSuch attacks first require an attack vector in the site code that is caused by dynamic snippet names, such as `snippet('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing.\n\nIn a vulnerable setup, this could cause damage to the confidentiality and integrity of the server, for example:\n\n- it could allow the attacker to build a map of the server's file system for subsequent attacks,\n- it could allow access to configuration files that may contain sensitive information like security tokens or\n- it could cause the unintended execution of PHP scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30159","reference_id":"","reference_type":"","scores":[{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75541","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75555","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75565","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00869","scoring_system":"epss","scoring_elements":"0.75561","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30159"},{"reference_url":"https://github.com/getkirby/kirby","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby"},{"reference_url":"https://github.com/getkirby/kirby/commit/90acf7ed6d8d9d0697f938edc0940b4a563ddbe7","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/getkirby/kirby/commit/90acf7ed6d8d9d0697f938edc0940b4a563ddbe7"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/3.10.1.2","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:44:40Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/3.10.1.2"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/3.9.8.3","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:44:40Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/3.9.8.3"},{"reference_url":"https://github.com/getkirby/kirby/releases/tag/4.7.1","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:44:40Z/"}],"url":"https://github.com/getkirby/kirby/releases/tag/4.7.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30159","reference_id":"CVE-2025-30159","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30159"},{"reference_url":"https://github.com/advisories/GHSA-fw82-87p8-v6hp","reference_id":"GHSA-fw82-87p8-v6hp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fw82-87p8-v6hp"},{"reference_url":"https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp","reference_id":"GHSA-fw82-87p8-v6hp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-13T19:44:40Z/"}],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85094?format=json","purl":"pkg:composer/getkirby/kirby@3.9.8%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/kirby@3.9.8%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/85095?format=json","purl":"pkg:composer/getkirby/kirby@3.10.1%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/kirby@3.10.1%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/85096?format=json","purl":"pkg:composer/getkirby/kirby@4.7.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/kirby@4.7.1"}],"aliases":["CVE-2025-30159","GHSA-fw82-87p8-v6hp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-va9m-m83a-eyf6"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/getkirby/kirby@2.5.1"}