EUVD-2026-25371
GHSA-6gqr-mx34-wh8r
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (site/blueprints/users/...). It is also possible to customize the permissions for each target model in the model blueprints (such as in site/blueprints/pages/...) using the options feature. The permissions and options together control the authorization of user actions. Kirby provides the pages.create, files.create and users.create permissions (among others). These permissions can again be set in the user blueprint and/or in the blueprint of the target model via options. Prior to versions 4.9.0 and 5.4.0, Kirby allowed to override the options during the creation of pages, files and users by injecting custom dynamic blueprint configuration into the model data. The injected options could include 'create' => true, which then caused an override of the permissions and options configured by the site developer in the user and model blueprints. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. The patched versions have updated the normalization code that is used during the creation of pages, files and users to include a filter for the blueprint property. This prevents the injection of dynamic blueprint configuration into the creation request.
AnalysisAI
Authenticated users in Kirby CMS can bypass permission controls to create unauthorized pages, files, and users by injecting malicious blueprint configuration during model creation. Versions prior to 4.9.0 and 5.4.0 fail to sanitize the 'blueprint' property in creation requests, allowing attackers with low-privilege accounts to override developer-defined authorization policies by setting 'create' => true in dynamic options. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at least login-level privileges to the Kirby Panel (PR:L in CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-high for multi-user Kirby deployments but requires authenticated access (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege user account (e.g., editor role restricted to updating existing pages) authenticates to the Kirby Panel. They intercept or craft a page creation POST request and inject '"blueprint": {"options": {"create": true}}' into the model data payload. … |
| Remediation | Upgrade immediately to Kirby CMS 4.9.0 (for 4.x installations) or Kirby 5.4.0 (for 5.x installations), available at https://github.com/getkirby/kirby/releases. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Kirby CMS deployments and document current versions (check composer.json or admin panel). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today