CVE-2026-49274
MEDIUM
5.3
CVSS 4.0
Description
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| getkirby | kirby | — | < 4.9.4, >= 5.0.0, < 5.4.4 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-862 | cna | CWE-862: Missing Authorization |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
References (7)
- https://github.com/getkirby/kirby/security/advisories/GHSA-23q2-54qv-rq5x https://github.com/getkirby/kirby/security/advisories/GHSA-23q2-54qv-rq5x
- https://github.com/getkirby/kirby/commit/1ae575da24e1b1cb8803a031d37eff14606d7c55 https://github.com/getkirby/kirby/commit/1ae575da24e1b1cb8803a031d37eff14606d7c55
- https://github.com/getkirby/kirby/commit/3bad37117adf2013548a784f820ddb2d8317333c https://github.com/getkirby/kirby/commit/3bad37117adf2013548a784f820ddb2d8317333c
- https://github.com/getkirby/kirby/commit/3f4398cdcf9f50f84fdac52ad78a7a85fb31589f https://github.com/getkirby/kirby/commit/3f4398cdcf9f50f84fdac52ad78a7a85fb31589f
- https://github.com/getkirby/kirby/commit/bffffce6c081f69c46163cc89b1fd18ccf2a18d1 https://github.com/getkirby/kirby/commit/bffffce6c081f69c46163cc89b1fd18ccf2a18d1
- https://github.com/getkirby/kirby/releases/tag/4.9.4 https://github.com/getkirby/kirby/releases/tag/4.9.4
- https://github.com/getkirby/kirby/releases/tag/5.4.4 https://github.com/getkirby/kirby/releases/tag/5.4.4