pkg:Packagist/getkirby/cms

共 40 筆 CVEHIGH6MEDIUM17

✅ 檢查你的版本

所有已知漏洞

  • HIGH8.1CVE-2026-34587Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering
    from 0, < 4.9.0
  • HIGH8.1CVE-2024-41964Kirby has insufficient permission checks in the language settings
    from 0, < 3.6.6.6
  • HIGH7.6CVE-2021-29460Cross-site scripting (XSS) from unsanitized uploaded SVG files in Kirby
    from 0, < 3.5.4
  • HIGH7.3CVE-2023-38489Insufficient Session Expiration after a password change
    from 0, < 3.5.8.3
  • HIGH7.1CVE-2023-38488Field injection in the KirbyData text storage handler
    from 0, < 3.5.8.3
  • HIGH7.1CVE-2021-32735Cross-site scripting (XSS) from field and configuration text displayed in the Panel
    from 0, < 3.5.7
  • MEDIUM6.8CVE-2023-38490XML External Entity (XXE) vulnerability in the XML data handler
    from 0, < 3.5.8.3
  • MEDIUM6.8CVE-2020-26253Kirby .dev domains and some reverse proxy setups were treated as local
    >= 3.0.0, < 3.3.6
  • MEDIUM6.8CVE-2020-26255Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5
    >= 3.0.0, < 3.4.5
  • MEDIUM6.5CVE-2026-29905Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload
    from 0, < 5.2.0-rc.1
  • MEDIUM6.5CVE-2022-39315Kirby CMS vulnerable to user enumeration in the brute force protection
    from 0, < 3.5.8.2
  • MEDIUM5.9CVE-2022-36037Cross-site scripting from dynamic options in the multiselect field
    from 0, < 3.5.8.1
  • MEDIUM5.7CVE-2023-38491Cross-site scripting (XSS) from MIME type auto-detection of uploaded files
    from 0, < 3.5.8.3
  • MEDIUM5.4CVE-2018-14520Kirby CMS 2.5.12 Cross-site Scripting
    from 0, <= 2.5.12
  • MEDIUM5.4CVE-2017-16807Kirby XSS Vulnerability
    from 0, < 2.3.3
  • MEDIUM5.4CVE-2021-41258Cross-site scripting (XSS) from image block content in the site frontend
    >= 3.5.0, < 3.5.8
  • MEDIUM5.4CVE-2021-41252Cross-site scripting (XSS) from writer field content in the site frontend
    >= 3.5.0, < 3.5.8
  • MEDIUM5.3CVE-2023-38492Denial of service from unlimited password lengths
    from 0, < 3.5.8.3
  • MEDIUM4.8CVE-2022-39314Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms
    >= 3.5.0, < 3.5.8.2
  • MEDIUM4.6CVE-2024-27087Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type
    >= 4.0.0, < 4.1.1
  • MEDIUM4.6CVE-2024-26483Kirby vulnerable to unrestricted file upload of user avatar images
    from 0, < 3.6.6.5
  • MEDIUM4.3CVE-2018-14519Kirby CMS 2.5.12 Cross-site Request Forgery
    from 0, <= 2.5.12
  • MEDIUM4.2CVE-2024-26481Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
    from 0, < 3.6.6.5
  • CVE-2026-45368Kirby CMS vulnerable to cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend
    from 0, < 4.9.1
  • CVE-2026-45334Kirby CMS's content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions
    from 0, < 4.9.1
  • CVE-2026-44177Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
    >= 5.3.0, < 5.4.1
  • CVE-2026-44176Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
    from 0, < 4.9.1
  • CVE-2026-44175Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
    from 0, < 4.9.1
  • CVE-2026-44174Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
    from 0, < 4.9.1
  • CVE-2026-42051Kirby CMS's system API endpoint leaks installed version and license data to authenticated users
    from 0, < 4.9.0
  • CVE-2026-42174Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions
    from 0, < 4.9.0
  • CVE-2026-42069Kirby CMS's read access to site, user and role information is not gated by permissions
    from 0, < 4.9.0
  • CVE-2026-42137Kirby CMS's `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API
    from 0, < 4.9.0
  • CVE-2026-41325Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection
    from 0, < 4.9.0
  • CVE-2026-40099Kirby's page creation API bypasses the changeStatus permission check via unfiltered isDraft parameter
    from 0, < 4.9.0
  • CVE-2026-32870Kirby has XML injection in its XML creator toolkit
    from 0, < 4.9.0
  • CVE-2026-21896Kirby is missing permission checks in the content changes API
    >= 5.0.0, < 5.2.2
  • CVE-2025-65012Kirby CMS has cross-site scripting (XSS) in the changes dialog
    >= 5.0.0, < 5.1.4
  • CVE-2025-30207Kirby vulnerable to path traversal in the router for PHP's built-in server
    from 0, < 3.9.8.3
  • CVE-2025-31493Kirby vulnerable to path traversal of collection names during file system lookup
    from 0, < 3.9.8.3