CVE-2026-29905
Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload
Description
### Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. ### Original Description ## Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. ## Details The vulnerability is caused by improper validation of the return value of PHP's `getimagesize()` function. When a malformed file is uploaded with a valid image extension (e.g., `.jpg`), the function returns `false` instead of an expected array. The application fails to handle this condition properly and proceeds with image processing, resulting in a fatal `TypeError`. This leads to persistent application crashes when the affected file is accessed. ## Impact - Persistent Denial of Service (DoS) - Affected pages return HTTP 500 errors - Requires manual removal of the malformed file to restore functionality - Exploitable by authenticated users with Editor permissions ## Identifiers - CVE-2026-29905 ## Resources - https://github.com/github/advisory-database/pull/7503 - https://github.com/Stalin-143/CVE-2026-29905 - https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1 - https://www.cve.org/CVERecord?id=CVE-2026-29905
How to fix CVE-2026-29905
To remediate CVE-2026-29905, upgrade the affected package to a fixed version below.
- —upgrade to 5.2.0-rc.1 or later
Is CVE-2026-29905 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 5.2.0-rc.1