Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7vp6-yf7c-nkcp
Vulnerability ID VCID-7vp6-yf7c-nkcp
Aliases CVE-2026-21896
GHSA-4j78-4xrm-cr2f
Summary Kirby is missing permission checks in the content changes API The missing permission checks allowed attackers with Panel access to create or discard a changes version or update the content fields in an existing changes version. All of these actions could affect arbitrary models. This could cause the following impact: - Attackers could maliciously create changes versions for all models of the site, creating editing locks that would prevent other authenticated users from making content changes until those locks were cleared. - Attackers could update the content in a malicious way, for example by adding defamatory or spam content or by including malicious links or scripts. While this updated content would not immediately be published to the site, an inattentive editor with update permissions could inadvertently publish these changes in the belief that an authorized user has made them. - Attackers could discard extensive changes, making editors lose their content work.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00025 https://api.first.org/data/v1/epss?cve=CVE-2026-21896
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-21896
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4j78-4xrm-cr2f
cvssv4 5.8 https://github.com/getkirby/kirby
generic_textual MODERATE https://github.com/getkirby/kirby
cvssv4 5.8 https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
generic_textual MODERATE https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
ssvc Track https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
cvssv4 5.8 https://github.com/getkirby/kirby/releases/tag/5.2.2
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/5.2.2
ssvc Track https://github.com/getkirby/kirby/releases/tag/5.2.2
cvssv3.1_qr MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
cvssv4 5.8 https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
generic_textual MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
ssvc Track https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
cvssv4 5.8 https://nvd.nist.gov/vuln/detail/CVE-2026-21896
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-21896
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-21896
https://github.com/getkirby/kirby
https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
https://github.com/getkirby/kirby/releases/tag/5.2.2
CVE-2026-21896 https://nvd.nist.gov/vuln/detail/CVE-2026-21896
GHSA-4j78-4xrm-cr2f https://github.com/advisories/GHSA-4j78-4xrm-cr2f
GHSA-4j78-4xrm-cr2f https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:33Z/ Found at https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/releases/tag/5.2.2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:33Z/ Found at https://github.com/getkirby/kirby/releases/tag/5.2.2
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:19:33Z/ Found at https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-21896
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07401
EPSS Score 0.00025
Published At June 6, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:25.497027+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getkirby/cms/CVE-2026-21896.yml 38.6.0