๐Ÿ” CVE Alert

CVE-2026-44174

UNKNOWN 0.0

Kirby: Arbitrary Method Call via REST API search and collection query endpoints

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.

CWE CWE-470
Vendor getkirby
Product kirby
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getkirby / kirby
< 4.9.1 >= 5.0.0, < 5.4.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp github.com: https://github.com/getkirby/kirby/releases/tag/4.9.1 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.1