CVE-2026-29905
MEDIUM6.5EPSS 0.02%Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload
描述
### Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. ### Original Description ## Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. ## Details The vulnerability is caused by improper validation of the return value of PHP's `getimagesize()` function. When a malformed file is uploaded with a valid image extension (e.g., `.jpg`), the function returns `false` instead of an expected array. The application fails to handle this condition properly and proceeds with image processing, resulting in a fatal `TypeError`. This leads to persistent application crashes when the affected file is accessed. ## Impact - Persistent Denial of Service (DoS) - Affected pages return HTTP 500 errors - Requires manual removal of the malformed file to restore functionality - Exploitable by authenticated users with Editor permissions ## Identifiers - CVE-2026-29905 ## Resources - https://github.com/github/advisory-database/pull/7503 - https://github.com/Stalin-143/CVE-2026-29905 - https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1 - https://www.cve.org/CVERecord?id=CVE-2026-29905
受影響套件(1)
- Packagist/getkirby/cmsfrom 0, < 5.2.0-rc.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-29905
- PATCHhttps://github.com/Stalin-143/CVE-2026-29905
- WEBhttps://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing
- WEBhttps://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1
- WEBhttps://github.com/github/advisory-database/pull/7503
- WEBhttps://github.com/Stalin-143/CVE-2026-29905/security/advisories/GHSA-cw7v-45wm-mcf2