VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5v41-4fe5-r7ag

Essentials
Severities (30)
References (11)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5v41-4fe5-r7ag
Aliases	CVE-2023-38490 GHSA-q386-w6fg-gmgp
Summary	Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is used in the `Xml` data handler (e.g. `Data::decode($string, 'xml')`). Both the vulnerable method and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to parse RSS feeds or other XML files. If those files are of an external origin (e.g. uploaded by a user or retrieved from an external URL), attackers may be able to include an external entity in the XML file that will then be processed in the parsing process. Kirby sites that don't use XML parsing in site or plugin code are not affected. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have removed the `LIBXML_NOENT` constant as processing of external entities is out of scope of the parsing logic. This protects all uses of the method against the described vulnerability.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-611	Improper Restriction of XML External Entity Reference
CWE-776	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.20373	https://api.first.org/data/v1/epss?cve=CVE-2023-38490
epss	0.20373	https://api.first.org/data/v1/epss?cve=CVE-2023-38490
epss	0.20373	https://api.first.org/data/v1/epss?cve=CVE-2023-38490
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-q386-w6fg-gmgp
cvssv3.1	6.8	https://github.com/getkirby/kirby
generic_textual	MODERATE	https://github.com/getkirby/kirby
cvssv3.1	6.8	https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387
generic_textual	MODERATE	https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387
ssvc	Track	https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387
cvssv3.1	6.8	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
generic_textual	MODERATE	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
cvssv3.1	6.8	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
generic_textual	MODERATE	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
cvssv3.1	6.8	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
generic_textual	MODERATE	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
cvssv3.1	6.8	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
generic_textual	MODERATE	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
cvssv3.1	6.8	https://github.com/getkirby/kirby/releases/tag/3.9.6
generic_textual	MODERATE	https://github.com/getkirby/kirby/releases/tag/3.9.6
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.9.6
cvssv3.1	6.8	https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp
cvssv3.1_qr	MODERATE	https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp
generic_textual	MODERATE	https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp
ssvc	Track	https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp
cvssv3.1	6.8	https://nvd.nist.gov/vuln/detail/CVE-2023-38490
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-38490

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-38490
		https://github.com/getkirby/kirby
		https://nvd.nist.gov/vuln/detail/CVE-2023-38490
277b05662d2b67386f0a0f18323cf68b30e86387		https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387
3.5.8.3		https://github.com/getkirby/kirby/releases/tag/3.5.8.3
3.6.6.3		https://github.com/getkirby/kirby/releases/tag/3.6.6.3
3.7.5.2		https://github.com/getkirby/kirby/releases/tag/3.7.5.2
3.8.4.1		https://github.com/getkirby/kirby/releases/tag/3.8.4.1
3.9.6		https://github.com/getkirby/kirby/releases/tag/3.9.6
GHSA-q386-w6fg-gmgp		https://github.com/advisories/GHSA-q386-w6fg-gmgp
GHSA-q386-w6fg-gmgp		https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/commit/277b05662d2b67386f0a0f18323cf68b30e86387

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.5.8.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.5.8.3

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.6.6.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.6.6.3

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.7.5.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.7.5.2

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.8.4.1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.8.4.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.9.6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.9.6

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:11:59Z/ Found at https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38490

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.95673
EPSS Score	0.20373
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:20:57.060686+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2023/38xxx/CVE-2023-38490.json	38.6.0