CVE-2025-30159

Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 3.9.8.3 Kirby versions prior to 3.10.1.2 Kirby versions prior to 4.7.1

Description: A vulnerability in Kirby affects sites that use the snippet() helper or $kirby->snippet() method with a dynamic snippet name, allowing attackers to navigate and access all files on the server that were accessible to the PHP process. This includes files outside of the snippets root or even outside of the Kirby installation, with PHP code within such files being executed. The attack requires an attack vector in the site code caused by dynamic snippet names and knowledge of the site structure and the server's file system. This could cause damage to the confidentiality and integrity of the server.

Recommendations: For versions prior to 3.9.8.3, update to Kirby 3.9.8.3 or later. For versions prior to 3.10.1.2, update to Kirby 3.10.1.2 or later. For versions prior to 4.7.1, update to Kirby 4.7.1 or later. As a temporary workaround, consider avoiding the use of dynamic snippet names with the snippet() helper or $kirby->snippet() method until a patch is applied.