Back to overview

CVE-2026-44174

HIGH
8.7
CVSS 4.0
Description
Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.

Metadata

CVE ID
CVE-2026-44174
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-05 14:39 UTC
Published
2026-07-16 21:13 UTC
Last updated
2026-07-16 21:13 UTC
Primary CWE
CWE-470
CWE-470: Use of Externally-Controlled Input to Select Classe…
Vendor / Product
getkirby / kirby
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
getkirby kirby < 4.9.1, >= 5.0.0, < 5.4.1
Weakness (CWE)
CWESourceDescription
CWE-470 cna CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (3)
Back to overview