getkirby/cms Security Advisories for 5.3.2 (4)
-
[HIGH] Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
PKSA-m1sp-3j4c-yg88 CVE-2026-41325 GHSA-6gqr-mx34-wh8r
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
PKSA-pyk9-2q1t-drry CVE-2026-40099 GHSA-w942-j9r6-hr6r
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[HIGH] Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
PKSA-w67s-1md9-r7dk CVE-2026-34587 GHSA-jcjw-58rv-c452
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub -
[MEDIUM] Kirby has XML injection in its XML creator toolkit
PKSA-rr97-2byk-h46m CVE-2026-32870 GHSA-9wfj-c55w-j9qr
Affected version: >=5.0.0,<5.4.0|<4.9.0
Reported by:
GitHub