CVE-2026-34587

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0

Description Kirby contains two distinct issues. First, the REST API allows the isDraft flag to be overridden during page creation. This enables authenticated attackers with the pages.create permission to create published pages immediately, bypassing the editorial workflow because the pages.changeStatus permission is not checked during this process.

Second, a Server-Side Template Injection (SSTI) exists where user input is embedded in a template unsafely, potentially leading to remote code execution. This occurs when option fields such as checkboxes, color, multiselect, select, radio, tags, or toggles use dynamic options from a query or API. The system double-resolves queries in option values from OptionsQuery or OptionsApi sources, allowing attackers to execute malicious query templates when a field is loaded in the Panel. This can lead to unauthorized access to protected site information or malicious write access if a user with higher permissions views the manipulated Panel.

Recommendations Update Kirby to version 4.9.0 or later. Update Kirby to version 5.4.0 or later.