PT-2026-37164 · Kirby · Kirby

0X-Bala

Published

2026-05-04

Updated

2026-05-11

CVE-2026-42051

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0

Description Missing authorization in the system API endpoint allows authenticated users to access sensitive information. Specifically, the '/api/system' endpoint leaks the installed Kirby version and the status, type, and code of the installed license to users who lack the access.system permission. This information can be utilized by malicious actors during reconnaissance to plan further attacks.

Recommendations Update to version 4.9.0 or later. Update to version 5.4.0 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-42051

GHSA-X68M-C7JF-2572

Affected Products

Kirby

PT-2026-37164 · Kirby · Kirby

CVE-2026-42051

Weakness Enumeration

Related Identifiers

Affected Products

References · 11