Back to overview

CVE-2026-44177

HIGH
8.8
CVSS 4.0
Description
Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user objects lazily when first needed. Users were queried by their ID, which was then used to locate the corresponding account directory under site/accounts. This affected the authentication API (accessible to unauthenticated requests), the users API (accessible only to authenticated users), and any other place that uses $users->find() to look up an individual user by a request-provided email or ID. As a result, an attacker could trigger arbitrary PHP file inclusion of files named  index.php (for example, the main PHP files of plugins), the impact of which depends on the logic those files contain. It also allowed probing for the existence of arbitrary directories on the server, letting attackers fingerprint the server and site setup, including installed plugins and the content structure. This issue has been fixed in version 5.4.1.

Metadata

CVE ID
CVE-2026-44177
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-05 14:39 UTC
Published
2026-07-16 21:19 UTC
Last updated
2026-07-16 21:19 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
getkirby / kirby
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
getkirby kirby >= 5.3.0, < 5.4.1
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-98 cna CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References (2)
Back to overview