PT-2026-2126 · Kirby · Kirby
Lukaskleinschmidt
·
Published
2026-01-08
·
Updated
2026-02-02
·
CVE-2026-21896
CVSS v4.0
5.8
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Kirby versions 5.0.0 through 5.2.1
Description
Kirby is an open-source content management system. Versions 5.0.0 through 5.2.1 are missing permission checks in the content changes API. This affects Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by disabling the update permission to prevent modifications to site content. The issue does not affect installations with default user permissions. The content changes API allows unauthorized modifications to site content. The vulnerable API endpoint is not specified. The vulnerable parameter or variable is not specified. The vulnerable function is not specified.
Recommendations
Update to version 5.2.2 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kirby