Caution
🚨 Security
Missing permission checks in the content changes API
CVE ID: CVE-2026-21896
Severity: medium (CVSS score 5.8)
This vulnerability affects all Kirby sites (Kirby 5.0.0-5.2.1) where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content.
If you haven't configured any user permissions that deviate from the default of allowing all actions, your site is not affected.
🐛 Bug fixes
- Prevent error when calling
Remote::json()with single-value JSON content (e.g. a single string, single int) #7806 - Fixed
Kirby\Toolkit\Domfor newer libxml versions #7802 - Writer field: fixed inline toolbar position on views without Panel menu #7799
$collection->group(callable)should accept empty string result as key #7830- Fixed filename field bug in upload dialog #7662
♻️ Refactored
- Reset
$_SERVERmanipulation in tests #7807