๐Ÿ” CVE Alert

CVE-2026-49274

UNKNOWN 0.0

Kirby: `pages.access` permission is not checked in the pages picker for parent pages

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
19th

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

CWE CWE-862
Vendor getkirby
Product kirby
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getkirby / kirby
< 4.9.4 >= 5.0.0, < 5.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-23q2-54qv-rq5x github.com: https://github.com/getkirby/kirby/commit/1ae575da24e1b1cb8803a031d37eff14606d7c55 github.com: https://github.com/getkirby/kirby/commit/3bad37117adf2013548a784f820ddb2d8317333c github.com: https://github.com/getkirby/kirby/commit/3f4398cdcf9f50f84fdac52ad78a7a85fb31589f github.com: https://github.com/getkirby/kirby/commit/bffffce6c081f69c46163cc89b1fd18ccf2a18d1 github.com: https://github.com/getkirby/kirby/releases/tag/4.9.4 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.4