getkirby kirby Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of getkirby kirby's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High13

Medium20

Low2

6 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of getkirby kirby's CVEs are currently listed in CISA's KEV catalog.

Public exploits

8 of getkirby kirby's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every getkirby kirby version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

3.9.09 CVEs
3.9.19 CVEs
3.9.1-rc.19 CVEs
3.9.29 CVEs
3.9.2-rc.19 CVEs
3.9.39 CVEs
3.9.3-rc.19 CVEs
3.9.49 CVEs
3.9.4-rc.19 CVEs
3.9.59 CVEs
3.9.5-rc.19 CVEs
3.9.6-rc.19 CVEs
< 4.9.08 CVEs
>= 5.0.0, < 5.4.08 CVEs
4.0.08 CVEs
4.0.18 CVEs
4.0.28 CVEs
4.0.38 CVEs
4.1.08 CVEs
4.1.0-rc.18 CVEs
4.1.0-rc.28 CVEs
4.1.0-rc.38 CVEs
3.5.07 CVEs
3.5.17 CVEs
3.5.1-rc.17 CVEs
3.5.27 CVEs
3.5.2-rc.17 CVEs
3.5.37 CVEs
3.5.3.17 CVEs
3.5.46 CVEs
3.5.56 CVEs
3.5.5-rc.16 CVEs
3.5.66 CVEs
3.5.6-rc.16 CVEs
3.5.7-rc.16 CVEs
3.8.06 CVEs
4.1.16 CVEs
< 3.5.8.35 CVEs
>= 3.6.0, < 3.6.6.35 CVEs
>= 3.7.0, < 3.7.5.25 CVEs
>= 3.8.0, < 3.8.415 CVEs
>= 3.9.0, < 3.9.65 CVEs
3.0.05 CVEs
3.0.15 CVEs
3.0.25 CVEs
3.0.2-rc.15 CVEs
3.0.35 CVEs
3.0.3-rc.15 CVEs
3.0.3-rc.25 CVEs
3.0.3-rc.35 CVEs
3.1.05 CVEs
3.1.0-rc.15 CVEs
3.1.15 CVEs
3.1.25 CVEs
3.1.2-rc.15 CVEs
3.1.35 CVEs
3.1.3-rc.15 CVEs
3.1.45 CVEs
3.1.4-rc.15 CVEs
3.2.05 CVEs
3.2.0-rc.15 CVEs
3.2.0-rc.25 CVEs
3.2.0-rc.35 CVEs
3.2.0-rc.45 CVEs
3.2.15 CVEs
3.2.1-rc.15 CVEs
3.2.25 CVEs
3.2.35 CVEs
3.2.3-rc.15 CVEs
3.2.45 CVEs
3.2.4-rc.15 CVEs
3.2.55 CVEs
3.2.5-rc.15 CVEs
3.2.5-rc.25 CVEs
3.3.05 CVEs
3.3.0-rc.15 CVEs
3.3.0-rc.25 CVEs
3.3.0-rc.35 CVEs
3.3.0-rc.45 CVEs
3.3.0-rc.55 CVEs
3.3.15 CVEs
3.3.1-rc.15 CVEs
3.3.25 CVEs
3.3.2-rc.15 CVEs
3.3.35 CVEs
3.3.3-rc.15 CVEs
3.3.45 CVEs
3.3.4-rc.15 CVEs
3.3.55 CVEs
3.3.5-rc.15 CVEs
3.3.65 CVEs
3.4.05 CVEs
3.4.0-rc.15 CVEs
3.4.0-rc.25 CVEs
3.4.0-rc.35 CVEs
3.4.15 CVEs
3.4.25 CVEs
3.4.35 CVEs
3.4.45 CVEs
3.4.4-rc.15 CVEs
3.4.55 CVEs
3.5.0-rc.15 CVEs
3.5.0-rc.25 CVEs
3.5.0-rc.35 CVEs
3.5.0-rc.45 CVEs
3.5.0-rc.55 CVEs
3.5.0-rc.65 CVEs
3.5.0-rc.75 CVEs
3.5.75 CVEs
3.5.7.15 CVEs
3.7.05 CVEs
3.7.0.15 CVEs
3.7.0.25 CVEs
3.7.15 CVEs
3.7.1-rc.15 CVEs
3.7.25 CVEs
3.7.2-rc.15 CVEs
3.7.2.15 CVEs
3.7.35 CVEs
3.7.3-rc.15 CVEs
3.7.45 CVEs
3.7.4-rc.15 CVEs
3.7.55 CVEs
3.8.0-rc.15 CVEs
3.8.0-rc.25 CVEs
3.8.0-rc.35 CVEs
3.8.1-rc.15 CVEs
3.8.14 CVEs
3.8.1.14 CVEs
3.8.24 CVEs
3.8.2-rc.14 CVEs
3.8.34 CVEs
3.8.3-rc.14 CVEs
3.8.3-rc.24 CVEs
3.8.44 CVEs
3.9.0-rc.14 CVEs
3.9.0-rc.24 CVEs
3.9.64 CVEs
3.9.6.14 CVEs
3.9.74 CVEs
3.9.7-rc.14 CVEs
3.9.84 CVEs
3.9.8-rc.14 CVEs
4.0.0-alpha.14 CVEs
4.0.0-alpha.24 CVEs
4.0.0-alpha.34 CVEs
4.0.0-alpha.44 CVEs
4.0.0-alpha.54 CVEs
4.0.0-alpha.64 CVEs
4.0.0-alpha.74 CVEs
4.0.0-beta.14 CVEs
4.0.0-beta.24 CVEs
4.0.0-beta.34 CVEs
4.0.0-rc.14 CVEs
4.0.0-rc.24 CVEs
4.0.0-rc.34 CVEs
4.0.0-rc.44 CVEs
4.1.24 CVEs
4.2.04 CVEs
4.2.0-rc.14 CVEs
4.3.04 CVEs
4.3.0-rc.14 CVEs
< 3.9.8.33 CVEs
>= 3.10.0, < 3.10.1.23 CVEs
>= 4.0.0, < 4.7.13 CVEs
3.6.03 CVEs
3.6.0-alpha.13 CVEs
3.6.0-alpha.23 CVEs
3.6.0-alpha.33 CVEs
3.6.0-alpha.43 CVEs
3.6.0-beta.13 CVEs
3.6.0-beta.23 CVEs
3.6.0-beta.33 CVEs
3.6.0-rc.13 CVEs
3.6.0-rc.23 CVEs
3.6.0-rc.33 CVEs
3.6.0-rc.43 CVEs
3.6.0-rc.53 CVEs
3.6.13 CVEs
3.6.1.13 CVEs
3.6.23 CVEs
3.6.2-rc.13 CVEs
3.6.2-rc.23 CVEs
3.6.2-rc.33 CVEs
3.6.33 CVEs
3.6.3-rc.13 CVEs
3.6.3-rc.23 CVEs
3.6.3.13 CVEs
3.6.43 CVEs
3.6.4-rc.13 CVEs
3.6.53 CVEs
3.6.5-rc.13 CVEs
3.6.63 CVEs
3.6.6-rc.13 CVEs
3.7.0-rc.13 CVEs
3.7.0-rc.23 CVEs
3.7.0-rc.33 CVEs
4.3.13 CVEs
4.4.03 CVEs
4.4.0-rc.13 CVEs
4.4.13 CVEs
4.5.03 CVEs
4.5.0-rc.13 CVEs
4.6.03 CVEs
4.6.0-rc.13 CVEs
4.6.13 CVEs
4.7.03 CVEs
4.7.0-rc.13 CVEs
5.0.02 CVEs
5.0.12 CVEs
5.0.22 CVEs
5.0.32 CVEs
5.0.42 CVEs
5.1.02 CVEs
5.1.0-rc.12 CVEs
5.1.12 CVEs
5.1.22 CVEs
5.1.32 CVEs
< 3.5.8.21 CVE
< 3.6.6.61 CVE
= 3.8.01 CVE
>= 2.6.0, < 3.6.6.21 CVE
>= 3.10.0, < 3.10.1.11 CVE
>= 3.5.0, < 3.5.8.21 CVE
>= 3.6.0, < 3.6.6.21 CVE
>= 3.7.0, < 3.7.5.11 CVE
>= 3.7.0, < 3.7.5.51 CVE
>= 3.7.0, <3.7.5.11 CVE
>= 3.8.0, < 3.8.11 CVE
>= 3.8.0, < 3.8.4.41 CVE
>= 3.9.0, < 3.9.8.21 CVE
>= 4.0.0, < 4.3.11 CVE
5.1.41 CVE
5.2.01 CVE
5.2.0-rc.11 CVE
5.2.11 CVE

Fixed in

4.9.08 CVEs
5.4.08 CVEs
000131afbd086776f944c6c434d0084348cfddd55 CVEs
3.5.8.35 CVEs
3.6.6.35 CVEs
3.7.5.25 CVEs
3.8.4.15 CVEs
3.9.65 CVEs
5f1311fc0ad221111917626127a55b2bfd7f4b945 CVEs
90d8affa5ab601560f4c6d310bab5e40d12df9cc5 CVEs
b9ac70d552c339ba35d41509e73d9972e9e546505 CVEs
053f21f45a53b96ab623fba4345e129388a983cb3 CVEs
3.10.1.2

Find a version

41 CVEs

Sort

Kirby: User avatar creation, replacement and deletion are not gated by user update permissions
CVE-2026-42174
Patch
CWE-862
Medium · CVSS 5.3
EPSS 0.0% (1th pct)2026-05-09
Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog
CVE-2026-42137
Patch
CWE-863
High · CVSS 7.1
EPSS 0.0% (1th pct)2026-05-09
Kirby: System API endpoint leaks license data and installed version to authenticated users
CVE-2026-42051
Patch
CWE-862
Medium · CVSS 5.3
EPSS 0.0% (9th pct)2026-05-09
Kirby: Read access to site, user and role information is not gated by permissions
CVE-2026-42069
Patch
CWE-862
High · CVSS 7.1
EPSS 0.0% (8th pct)2026-05-09
Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
CVE-2026-41325
Patch
CWE-863
High · CVSS 7.1
EPSS 0.0% (13th pct)2026-04-24
Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
CVE-2026-40099
Patch
CWE-863
Low · CVSS 1.3
EPSS 0.0% (8th pct)2026-04-24
Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
CVE-2026-34587
Patch
CWE-1336
High · CVSS 7.6
EPSS 0.0% (10th pct)2026-04-24
Kirby has XML injection in its XML creator toolkit
CVE-2026-32870
Patch
CWE-91
Medium · CVSS 6.9
EPSS 0.0% (13th pct)2026-04-24
Medium vulnerability · 2026-03-26
CVE-2026-29905
Public exploit
Patch
CWE-20
Medium · CVSS 6.5
EPSS 0.0% (5th pct)2026-03-26
Kirby is missing permission checks in the content changes API
CVE-2026-21896
Patch
CWE-863
Medium · CVSS 5.8
EPSS 0.0% (12th pct)2026-01-08
Kirby CMS has cross-site scripting (XSS) in the changes dialog
CVE-2025-65012
Patch
CWE-79
Medium · CVSS 5.1
EPSS 0.0% (7th pct)2025-11-18
Path traversal of collection names during file system lookup
CVE-2025-31493
Patch
CWE-22
Medium · CVSS 6.3
EPSS 0.8% (74th pct)2025-05-13
Kirby vulnerable to path traversal in the router for PHP's built-in server
CVE-2025-30207
Patch
CWE-22
Low · CVSS 2.3
EPSS 0.6% (70th pct)2025-05-13
Kirby vulnerable to path traversal of snippet names in the `snippet()` helper
CVE-2025-30159
Patch
CWE-22
Medium · CVSS 6.3
EPSS 0.9% (76th pct)2025-05-13
High vulnerability · 2024-08-29
CVE-2024-41964
Patch
CWE-863
High · CVSS 8.1
EPSS 0.4% (60th pct)2024-08-29
Medium vulnerability · 2024-02-26
CVE-2024-27087
Patch
CWE-79
Medium · CVSS 4.6
EPSS 0.8% (74th pct)2024-02-26
Medium vulnerability · 2024-02-22
CVE-2024-26484
Public exploit
Patch
CWE-79
Medium · CVSS 6.1
EPSS 0.1% (26th pct)2024-02-22
High vulnerability · 2024-02-22
CVE-2024-26483
Public exploit
Patch
CWE-94
High · CVSS 8.8
EPSS 0.2% (36th pct)2024-02-22
High vulnerability · 2024-02-22
CVE-2024-26482
Public exploit
CWE-80
High · CVSS 7.1
EPSS 0.0% (11th pct)2024-02-22
Medium vulnerability · 2024-02-22
CVE-2024-26481
Public exploit
Patch
CWE-79
Medium · CVSS 4.7
EPSS 0.1% (27th pct)2024-02-22
Medium vulnerability · 2023-07-27
CVE-2023-38492
Patch
CWE-770
Medium · CVSS 5.3
EPSS 0.1% (32th pct)2023-07-27
Medium vulnerability · 2023-07-27
CVE-2023-38491
Patch
CWE-79
Medium · CVSS 5.7
EPSS 0.2% (40th pct)2023-07-27
Medium vulnerability · 2023-07-27
CVE-2023-38490
Patch
CWE-776
Medium · CVSS 6.8
EPSS 20.4% (96th pct)2023-07-27
High vulnerability · 2023-07-27
CVE-2023-38489
Patch
CWE-613
High · CVSS 7.3
EPSS 0.2% (43th pct)2023-07-27
High vulnerability · 2023-07-27
CVE-2023-38488
Patch
CWE-140
High · CVSS 7.1
EPSS 0.1% (26th pct)2023-07-27
Medium vulnerability · 2022-10-25
CVE-2022-39315
Patch
CWE-204
Medium · CVSS 6.5
EPSS 0.5% (65th pct)2022-10-25
User enumeration in the code-based login and password reset forms
CVE-2022-39314
Patch
CWE-307
Medium · CVSS 4.8
EPSS 0.2% (43th pct)2022-10-24
Medium vulnerability · 2022-08-29
CVE-2022-36037
Patch
CWE-79
Medium · CVSS 5.9
EPSS 0.6% (70th pct)2022-08-29
Vulnerability · 2022-08-24
CVE-2018-14519
Public exploit
Unscored
EPSS 0.2% (37th pct)2022-08-24
Medium vulnerability · 2022-08-24
CVE-2018-14520
Public exploit
CWE-79
Medium · CVSS 5.4
EPSS 0.2% (46th pct)2022-08-24

Showing 30 of 41

Severity and exploitation

getkirby kirby Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other getkirby products

Frequently asked questions

How many CVEs does getkirby kirby have?

How many getkirby kirby CVEs are in CISA KEV?

Are there public exploits for getkirby kirby vulnerabilities?

Which versions of getkirby kirby are affected?

What are the most common weakness types in getkirby kirby CVEs?

What is the average severity of getkirby kirby CVEs?

References

Track getkirby kirby vulnerabilities