CVE-2026-29905

Name of the Vulnerable Software and Affected Versions Kirby CMS versions through 5.1.4

Description Kirby CMS through version 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application does not properly validate the return value of the PHP getimagesize() function. When the system attempts to process a malformed file for metadata or thumbnail generation, it triggers a fatal TypeError, leading to persistent application crashes. The vulnerable component is the image processing functionality. Accessing the affected file causes HTTP 500 errors. Manual removal of the malformed file is required to restore functionality.

Recommendations Versions prior to 5.1.4 are affected. Update Kirby CMS to a version later than 5.1.4.