Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-88cy-kbt4-4qfq
Vulnerability ID VCID-88cy-kbt4-4qfq
Aliases CVE-2026-40099
GHSA-w942-j9r6-hr6r
Summary Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-40099
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-40099
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2026-40099
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-w942-j9r6-hr6r
cvssv4 5.3 https://github.com/getkirby/kirby
generic_textual MODERATE https://github.com/getkirby/kirby
cvssv4 5.3 https://github.com/getkirby/kirby/releases/tag/4.9.0
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/4.9.0
ssvc Track https://github.com/getkirby/kirby/releases/tag/4.9.0
cvssv4 5.3 https://github.com/getkirby/kirby/releases/tag/5.4.0
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/5.4.0
ssvc Track https://github.com/getkirby/kirby/releases/tag/5.4.0
cvssv3.1_qr MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
cvssv4 5.3 https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
generic_textual MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
ssvc Track https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-40099
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-40099
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-40099
https://github.com/getkirby/kirby
https://nvd.nist.gov/vuln/detail/CVE-2026-40099
4.9.0 https://github.com/getkirby/kirby/releases/tag/4.9.0
5.4.0 https://github.com/getkirby/kirby/releases/tag/5.4.0
GHSA-w942-j9r6-hr6r https://github.com/advisories/GHSA-w942-j9r6-hr6r
GHSA-w942-j9r6-hr6r https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/releases/tag/4.9.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/ Found at https://github.com/getkirby/kirby/releases/tag/4.9.0
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/releases/tag/5.4.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/ Found at https://github.com/getkirby/kirby/releases/tag/5.4.0
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-25T01:41:45Z/ Found at https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40099
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.08343
EPSS Score 0.00028
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:53:16.484493+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/40xxx/CVE-2026-40099.json 38.6.0