Shankar Acharya

**Name of the Vulnerable Software and Affected Versions** Kirby versions prior to 3.5.8.3 Kirby versions prior to 3.6.6.3 Kirby versions prior to 3.7.5.2 Kirby versions prior to 3.8.4.1 Kirby versions prior to 3.9.6 **Description** The issue affects Kirby sites that allow file uploads from untrusted users or visitors, or those that do not limit file extensions to a safe list. An editor with write access to the Kirby Panel can upload a file with an unknown extension, such as `.xyz`, containing HTML code with harmful content like `<script>` tags. If a victim opens the link to this file in a browser where they are logged in to Kirby, the browser may run the script, potentially triggering requests to Kirby's API with the victim's permissions. The problem is caused by the `KirbyHttpResponse::file()` method lacking an explicit fallback for unknown MIME types. **Recommendations** Update to Kirby version 3.5.8.3 or later to fix the vulnerability. Update to Kirby version 3.6.6.3 or later to fix the vulnerability. Update to Kirby version 3.7.5.2 or later to fix the vulnerability. Update to Kirby version 3.8.4.1 or later to fix the vulnerability. Update to Kirby version 3.9.6 or later to fix the vulnerability.