CVE-2026-42174

MEDIUM SEVERITY

Vulnerability Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 09, 2026

CWE ID

CWE-862

Source

GitHub

Vendor

composer

Product

getkirby/cms

External References

https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2
https://github.com/getkirby/kirby/releases/tag/4.9.0
https://github.com/getkirby/kirby/releases/tag/5.4.0
https://github.com/advisories/GHSA-39cp-6679-8xv2

CVE-2026-42174

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment