CVE-2025-31493

Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 3.9.8.3 Kirby versions prior to 3.10.1.2 Kirby versions prior to 4.7.1

Description: A vulnerability in Kirby affects sites that use the collection() helper or $kirby->collection() method with a dynamic collection name, allowing attackers to navigate and access all files on the server that were accessible to the PHP process. This includes files outside of the collections root or even outside of the Kirby installation, with PHP code within such files being executed. The attack requires an attack vector in the site code caused by dynamic collection names and knowledge of the site structure and the server's file system. However, it is possible to find vulnerable setups through automated methods such as fuzzing. This could cause damage to the confidentiality and integrity of the server.

Recommendations: For versions prior to 3.9.8.3, update to Kirby 3.9.8.3 or later. For versions prior to 3.10.1.2, update to Kirby 3.10.1.2 or later. For versions prior to 4.7.1, update to Kirby 4.7.1 or later. As a temporary workaround, consider avoiding the use of dynamic collection names in the collection() helper or $kirby->collection() method until a patch is applied.