🔐 CVE Alert

CVE-2026-44177

UNKNOWN 0.0

Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user objects lazily when first needed. Users were queried by their ID, which was then used to locate the corresponding account directory under site/accounts. This affected the authentication API (accessible to unauthenticated requests), the users API (accessible only to authenticated users), and any other place that uses $users->find() to look up an individual user by a request-provided email or ID. As a result, an attacker could trigger arbitrary PHP file inclusion of files named  index.php (for example, the main PHP files of plugins), the impact of which depends on the logic those files contain. It also allowed probing for the existence of arbitrary directories on the server, letting attackers fingerprint the server and site setup, including installed plugins and the content structure. This issue has been fixed in version 5.4.1.

CWE CWE-22 CWE-98
Vendor getkirby
Product kirby
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

getkirby / kirby
>= 5.3.0, < 5.4.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.1