CVE-2026-42137

HIGH SEVERITY

Vulnerability Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

Vulnerability Details

Published Date

April 30, 2026

Last Modified

May 12, 2026

CWE ID

CWE-862

Source

GitHub

Vendor

composer

Product

getkirby/cms

External References

https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c
https://github.com/getkirby/kirby/releases/tag/4.9.0
https://github.com/getkirby/kirby/releases/tag/5.4.0
https://github.com/advisories/GHSA-85x2-r8xv-ww8c

CVE-2026-42137

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment