HIGH8.1CVE-2026-34587Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering from 0, < 4.9.0
HIGH8.1CVE-2024-41964Kirby has insufficient permission checks in the language settings from 0, < 3.6.6.6
HIGH7.6CVE-2021-29460Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby from 0, < 3.5.4
HIGH7.3Insufficient Session Expiration after a password change
from 0, < 3.5.8.3
HIGH7.1Field injection in the KirbyData text storage handler
from 0, < 3.5.8.3
HIGH7.1Cross-site scripting (XSS) from field and configuration text displayed in the Panel
from 0, < 3.5.7
MEDIUM6.8XML External Entity (XXE) vulnerability in the XML data handler
from 0, < 3.5.8.3
MEDIUM6.8Kirby .dev domains and some reverse proxy setups were treated as local
>= 3.0.0, < 3.3.6
MEDIUM6.8Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
>= 3.0.0, < 3.4.5
MEDIUM6.5Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload
from 0, < 5.2.0-rc.1
MEDIUM6.5Kirby CMS vulnerable to user enumeration in the brute force protection
from 0, < 3.5.8.2
MEDIUM5.9Cross-site scripting from dynamic options in the multiselect field
from 0, < 3.5.8.1
MEDIUM5.7Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
from 0, < 3.5.8.3
MEDIUM5.4Kirby CMS 2.5.12 Cross-site Scripting
from 0, <= 2.5.12
MEDIUM5.4Kirby XSS Vulnerability
from 0, < 2.3.3
MEDIUM5.4Cross-site scripting (XSS) from image block content in the site frontend
>= 3.5.0, < 3.5.8
MEDIUM5.4Cross-site scripting (XSS) from writer field content in the site frontend
>= 3.5.0, < 3.5.8
MEDIUM5.3Denial of service from unlimited password lengths
from 0, < 3.5.8.3
MEDIUM4.8Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
>= 3.5.0, < 3.5.8.2
MEDIUM4.6Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type
>= 4.0.0, < 4.1.1
MEDIUM4.6Kirby vulnerable to unrestricted file upload of user avatar images
from 0, < 3.6.6.5
MEDIUM4.3Kirby CMS 2.5.12 Cross-site Request Forgery
from 0, <= 2.5.12
MEDIUM4.2Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
from 0, < 3.6.6.5
—Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
from 0, < 4.9.1
—Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
from 0, < 4.9.1
—Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
>= 5.3.0, < 5.4.1
—Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
from 0, < 4.9.1
—Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
from 0, < 4.9.1
—Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
from 0, < 4.9.1
—Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
from 0, < 4.9.0
—Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
from 0, < 4.9.0
—Kirby CMS's read access to site, user and role information is not gated by permissions
from 0, < 4.9.0
—Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
from 0, < 4.9.0
—Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
from 0, < 4.9.0
—Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
from 0, < 4.9.0
—Kirby has XML injection in its XML creator toolkit
from 0, < 4.9.0
—Kirby is missing permission checks in the content changes API
>= 5.0.0, < 5.2.2
—Kirby CMS has cross-site scripting (XSS) in the changes dialog
>= 5.0.0, < 5.1.4
—Kirby vulnerable to path traversal in the router for PHP's built-in server
from 0, < 3.9.8.3
—Kirby vulnerable to path traversal of collection names during file system lookup
from 0, < 3.9.8.3