CVE-2026-54004
MEDIUM
6.3
CVSS 4.0
Description
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview tokens, leading to disclosure of draft file contents. This issue is fixed in versions 4.9.4 and 5.4.4.
Metadata
Severity & Metrics
6.3
MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| getkirby | kirby | — | < 4.9.4, >= 5.0.0, < 5.4.4 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-862 | cna | CWE-862: Missing Authorization |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
References (5)
- https://github.com/getkirby/kirby/security/advisories/GHSA-89cp-7p28-jffg https://github.com/getkirby/kirby/security/advisories/GHSA-89cp-7p28-jffg
- https://github.com/getkirby/kirby/commit/5b9a0ed587575e39156d37fa42ca7f6c73e121f7 https://github.com/getkirby/kirby/commit/5b9a0ed587575e39156d37fa42ca7f6c73e121f7
- https://github.com/getkirby/kirby/commit/bc721080cd8dd4dcb7fc20b3fd0460ee8d0603b0 https://github.com/getkirby/kirby/commit/bc721080cd8dd4dcb7fc20b3fd0460ee8d0603b0
- https://github.com/getkirby/kirby/releases/tag/4.9.4 https://github.com/getkirby/kirby/releases/tag/4.9.4
- https://github.com/getkirby/kirby/releases/tag/5.4.4 https://github.com/getkirby/kirby/releases/tag/5.4.4