{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/getkirby/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003c= 4.8.0)","cms (\u003e= 5.0.0, \u003c= 5.3.3)","Kirby Panel","Kirby REST API"],"_cs_severities":["high"],"_cs_tags":["authorization","cms","web-application"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eKirby CMS versions prior to 4.9.0 and between 5.0.0 and 5.3.3 are vulnerable to a missing authorization flaw. This vulnerability impacts Kirby sites where user roles are intentionally configured with restricted access to pages or files through disabled \u003ccode\u003epages.access\u003c/code\u003e, \u003ccode\u003epages.list\u003c/code\u003e, \u003ccode\u003efiles.access\u003c/code\u003e, or \u003ccode\u003efiles.list\u003c/code\u003e permissions. The issue stems from inconsistent permission checks within the Kirby Panel and REST API, allowing authenticated users to access resources they should not be able to. Updating to versions 4.9.0, 5.4.0, or later resolves this vulnerability by implementing consistent permission checks. The vulnerability is identified as CVE-2026-42137.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Kirby CMS Panel or REST API.\u003c/li\u003e\n\u003cli\u003eThe user attempts to access a page or file for which their role lacks the necessary \u003ccode\u003epages.access\u003c/code\u003e/\u003ccode\u003efiles.access\u003c/code\u003e or \u003ccode\u003epages.list\u003c/code\u003e/\u003ccode\u003efiles.list\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eDue to inconsistent permission checks, the user can view the page or file details via the \u0026ldquo;changes\u0026rdquo; dialog in the Panel, even if listing is disabled.\u003c/li\u003e\n\u003cli\u003eThe user accesses the REST API, which, despite direct access checks, fails to properly filter collections or related models (children, drafts, files, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker views images associated with restricted site, pages, or user resources in lists within the Panel.\u003c/li\u003e\n\u003cli\u003eThe user exploits the incorrect permission check (using \u003ccode\u003epages.access\u003c/code\u003e instead of \u003ccode\u003epages.list\u003c/code\u003e or \u003ccode\u003efiles.access\u003c/code\u003e instead of \u003ccode\u003efiles.list\u003c/code\u003e in specific API routes).\u003c/li\u003e\n\u003cli\u003eThe user traverses to previous or next files using direct links in the files view, even if those files should not be listable.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or modifies content due to the bypassed permission checks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows authenticated users to bypass intended access restrictions within Kirby CMS, leading to potential unauthorized access to sensitive information and/or unauthorized content modification. The inconsistent permission checks in the Panel and REST API could result in unintended disclosure of data restricted by role-based access controls. Successful exploitation could compromise the confidentiality and integrity of the affected Kirby CMS instance. While the advisory does not list the number of victims, this flaw impacts any Kirby site with restricted roles.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 (or later) to patch the vulnerability as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eReview user role permissions and blueprint configurations to ensure appropriate access controls are in place after patching, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests to resources that should be restricted, using the rules below, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate potential brute-force attacks attempting to exploit this or other vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T21:03:20Z","date_published":"2026-04-30T21:03:20Z","id":"/briefs/2026-04-kirby-auth-bypass/","summary":"A missing authorization vulnerability in Kirby CMS allows authenticated users to bypass intended access restrictions on pages and files, potentially leading to unauthorized information disclosure and content modification; patched in versions 4.9.0 and 5.4.0.","title":"Kirby CMS Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms"],"_cs_severities":["high"],"_cs_tags":["ssti","kirby","template-injection"],"_cs_type":"advisory","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eA server-side template injection (SSTI) vulnerability has been identified in Kirby CMS affecting sites using option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) with options sourced from queries or APIs where the values cannot be fully trusted. This vulnerability, discovered and reported by @offset, stems from a double resolution of templates within the options rendering logic. An attacker with Panel access or through user interaction can inject malicious query templates. This can lead to unauthorized access to sensitive information (like user passwords) or malicious modification of site content. The vulnerability affects Kirby CMS versions prior to 4.9.0 and versions between 5.0.0 and 5.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to the Kirby Panel, or convinces a user with access to interact with a malicious element.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a page or blueprint using dynamic options for form fields (checkboxes, selects, etc.) sourced from a query or API.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious query template, such as \u003ccode\u003e{{ users.first.password }}\u003c/code\u003e or \u003ccode\u003e{{ page.delete }}\u003c/code\u003e, into a page title or data returned from an external API.\u003c/li\u003e\n\u003cli\u003eThe administrator or another privileged user navigates to the affected Panel view, triggering the rendering of the form field with the injected malicious template.\u003c/li\u003e\n\u003cli\u003eThe Kirby CMS options logic improperly double-resolves the template, executing the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information, such as user passwords, or triggers unauthorized actions like page deletion, depending on the injected query.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by exploiting the compromised user\u0026rsquo;s session or by directly accessing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow attackers to access sensitive site information, such as user credentials, or perform unauthorized actions, like modifying or deleting content. This could lead to a complete compromise of the Kirby CMS website and its data. The vulnerability specifically targets sites that leverage dynamic options for form fields, making them susceptible to malicious query injection. Sites running vulnerable versions of Kirby CMS are at risk of information disclosure and unauthorized modification.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.0 or 5.4.0 or later to patch the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-jcjw-58rv-c452\"\u003ehttps://github.com/advisories/GHSA-jcjw-58rv-c452\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to all data sources used for dynamic options to prevent the injection of malicious templates and mitigate CVE-2026-34587.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing template syntax or attempts to access sensitive information, to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T21:24:37Z","date_published":"2026-04-23T21:24:37Z","id":"/briefs/2026-04-kirby-ssti/","summary":"A server-side template injection (SSTI) vulnerability exists in Kirby CMS within the option rendering feature due to double template resolution in option fields (checkboxes, color, multiselect, select, radio, tags, or toggles) when using options from a query or API with untrusted values, potentially allowing attackers to inject malicious queries.","title":"Kirby CMS Server-Side Template Injection via Double Template Resolution","url":"https://feed.craftedsignal.io/briefs/2026-04-kirby-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed — Getkirby","version":"https://jsonfeed.org/version/1.1"}