{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44177/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cms (\u003e= 5.3.0, \u003c= 5.4.0)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","php-file-inclusion","kirby-cms","CVE-2026-44177"],"_cs_type":"threat","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eKirby CMS versions 5.3.0 to 5.4.0 are vulnerable to a path traversal vulnerability. This flaw stems from insufficient validation of user IDs during user lookup, a performance improvement introduced in version 5.3.0. The vulnerability is pre-authentication, meaning no prior access is required. By exploiting this flaw, attackers can include arbitrary PHP files named \u003ccode\u003eindex.php\u003c/code\u003e, potentially gaining the ability to execute malicious code or disclose sensitive information. This issue impacts the authentication API, users API, and any other instance where \u003ccode\u003e$users-\u0026gt;find()\u003c/code\u003e is used with a request-provided email or user ID. Successful exploitation allows attackers to probe for the existence of arbitrary directories, enabling fingerprinting of the server setup, installed plugins, and content structure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a request to the authentication API, users API, or any endpoint using \u003ccode\u003e$users-\u0026gt;find()\u003c/code\u003e with a crafted user ID.\u003c/li\u003e\n\u003cli\u003eThe crafted user ID contains path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate outside the intended user account directory.\u003c/li\u003e\n\u003cli\u003eKirby CMS constructs a file path using the manipulated user ID to locate the user\u0026rsquo;s account directory within \u003ccode\u003esite/accounts/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application attempts to include an \u003ccode\u003eindex.php\u003c/code\u003e file from the traversed path.\u003c/li\u003e\n\u003cli\u003eIf a file named \u003ccode\u003eindex.php\u003c/code\u003e exists in the traversed directory, it is included and executed by the PHP interpreter.\u003c/li\u003e\n\u003cli\u003eDepending on the contents of the included \u003ccode\u003eindex.php\u003c/code\u003e, sensitive information may be disclosed or arbitrary code may be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to further compromise the system or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe path traversal vulnerability in Kirby CMS versions 5.3.0 through 5.4.0 can lead to arbitrary PHP file inclusion, allowing attackers to execute malicious code or disclose sensitive data. Successful exploitation enables attackers to probe the existence of arbitrary directories on the server, facilitating fingerprinting of the server setup, installed plugins, and content structure. This vulnerability is rated high severity because it\u0026rsquo;s pre-authentication and enables full system compromise if a vulnerable \u003ccode\u003eindex.php\u003c/code\u003e file is reachable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 5.4.1 or later to patch the vulnerability as advised in the \u003ca href=\"https://github.com/getkirby/kirby/releases/tag/5.4.1\"\u003eKirby 5.4.1\u003c/a\u003e release notes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Kirby CMS Path Traversal Attempt\u003c/code\u003e to detect exploitation attempts by monitoring HTTP requests with path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing \u003ccode\u003e../\u003c/code\u003e sequences in the user ID or email parameters to identify potential path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:58:21Z","date_published":"2026-05-26T23:58:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kirby-path-traversal/","summary":"Kirby CMS versions 5.3.0 through 5.4.0 are vulnerable to pre-authentication path traversal, allowing an attacker to include arbitrary PHP files with the filename `index.php`, potentially leading to sensitive information disclosure or malicious actions due to insufficient validation of the provided user ID during user lookup.","title":"Kirby CMS Pre-Authentication Path Traversal and PHP File Inclusion","url":"https://feed.craftedsignal.io/briefs/2026-05-kirby-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-44177","version":"https://jsonfeed.org/version/1.1"}