Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

getkirby — Vulnerabilities & Security Advisories 29

Browse all 29 CVE security advisories affecting getkirby. AI-powered Chinese analysis, POCs, and references for each vulnerability.

GetKirby is a flat-file CMS designed for web developers, utilizing PHP and YAML to manage content without a database. Its architecture, while simplifying deployment, has historically exposed it to significant security risks, resulting in twenty-five recorded CVEs. The most prevalent vulnerability classes involve Remote Code Execution (RCE) and Cross-Site Scripting (XSS), often stemming from insufficient input validation in file handling and template rendering processes. Privilege escalation flaws have also been documented, allowing unauthorized users to gain administrative access. A notable incident involved a critical RCE vulnerability in the panel’s file upload functionality, which permitted attackers to execute arbitrary code on the server. These issues highlight the challenges of maintaining security in flat-file systems where traditional database protections are absent, necessitating rigorous code auditing and strict access controls to mitigate the inherent risks associated with its design philosophy.

Top products by getkirby: kirby
CVE IDTitleCVSSSeverityPublished
CVE-2026-42174 Kirby: User avatar creation, replacement and deletion are not gated by user update permissions — kirbyCWE-862 4.3AIMediumAI2026-05-09
CVE-2026-42137 Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog — kirbyCWE-862 8.2AIHighAI2026-05-09
CVE-2026-42051 Kirby: System API endpoint leaks license data and installed version to authenticated users — kirbyCWE-862 4.3AIMediumAI2026-05-09
CVE-2026-42069 Kirby: Read access to site, user and role information is not gated by permissions — kirbyCWE-862 4.3AIMediumAI2026-05-09
CVE-2026-41325 Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection — kirbyCWE-863 8.8AIHighAI2026-04-24
CVE-2026-40099 Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter — kirbyCWE-863 6.5AIMediumAI2026-04-24
CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering — kirbyCWE-1336 6.5AIMediumAI2026-04-24
CVE-2026-32870 Kirby has XML injection in its XML creator toolkit — kirbyCWE-91 7.1AIHighAI2026-04-24
CVE-2026-21896 Kirby is missing permission checks in the content changes API — kirbyCWE-863 4.3 -2026-01-08
CVE-2025-65012 Kirby CMS has cross-site scripting (XSS) in the changes dialog — kirbyCWE-79 4.6AIMediumAI2025-11-18
CVE-2025-31493 Path traversal of collection names during file system lookup — kirbyCWE-22 8.3AIHighAI2025-05-13
CVE-2025-30207 Kirby vulnerable to path traversal in the router for PHP's built-in server — kirbyCWE-22 8.1AIHighAI2025-05-13
CVE-2025-30159 Kirby vulnerable to path traversal of snippet names in the `snippet()` helper — kirbyCWE-22 7.1AIHighAI2025-05-13
CVE-2024-41964 Insufficient permission checks in the language settings in Kirby CMS — kirbyCWE-863 8.1 High2024-08-29
CVE-2024-27087 Kirby cross-site scripting (XSS) in the link field "Custom" type — kirbyCWE-79 4.6 Medium2024-02-26
CVE-2023-38492 Kirby vulnerable to denial of service from unlimited password lengths — kirbyCWE-770 5.3 Medium2023-07-27
CVE-2023-38491 Kirby vulnerable to Cross-site scripting (XSS) from MIME type auto-detection of uploaded files — kirbyCWE-79 5.7 Medium2023-07-27
CVE-2023-38490 Kirby XML External Entity (XXE) vulnerability in the XML data handler — kirbyCWE-611 6.8 Medium2023-07-27
CVE-2023-38489 Kirby vulnerable to Insufficient Session Expiration after a password change — kirbyCWE-613 7.3 High2023-07-27
CVE-2023-38488 Kirby vulnerable to field injection in the KirbyData text storage handler — kirbyCWE-140 7.1 High2023-07-27
CVE-2022-39315 Kirby CMS vulnerable to user enumeration in the brute force protection — kirbyCWE-204 6.5 Medium2022-10-25
CVE-2022-39314 User enumeration in the code-based login and password reset forms — kirbyCWE-307 5.3 -2022-10-24
CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby — kirbyCWE-79 5.9 Medium2022-08-29
CVE-2021-41258 Cross-site scripting (XSS) from image block content in the site frontend — kirbyCWE-79 7.3 High2021-11-16
CVE-2021-41252 Cross-site scripting (XSS) from writer field content in the site frontend — kirbyCWE-79 7.3 High2021-11-16
CVE-2021-32735 Cross-site scripting (XSS) from field and configuration text displayed in the Panel — kirbyCWE-80 7.1 High2021-07-02
CVE-2021-29460 Cross-site scripting (XSS) from unsanitized uploaded SVG files — kirbyCWE-79 7.6 High2021-04-27
CVE-2020-26255 PHP Phar archives could be uploaded and executed in Kirby — kirbyCWE-434 6.8 Medium2020-12-08
CVE-2020-26253 .dev domains treated as local in Kirby — kirbyCWE-346 6.8 Medium2020-12-08

This page lists every published CVE security advisory associated with getkirby. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.