๐Ÿ” CVE Alert

CVE-2026-54004

UNKNOWN 0.0

Kirby: Access to files of top-level drafts is not protected by permissions

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview tokens, leading to disclosure of draft file contents. This issue is fixed in versions 4.9.4 and 5.4.4.

CWE CWE-862
Vendor getkirby
Product kirby
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getkirby / kirby
< 4.9.4 >= 5.0.0, < 5.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-89cp-7p28-jffg github.com: https://github.com/getkirby/kirby/commit/5b9a0ed587575e39156d37fa42ca7f6c73e121f7 github.com: https://github.com/getkirby/kirby/commit/bc721080cd8dd4dcb7fc20b3fd0460ee8d0603b0 github.com: https://github.com/getkirby/kirby/releases/tag/4.9.4 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.4