Note
This release is part of our new monthly security release series. Find out more about those releases and their background on our website: https://getkirby.com/buzz/security-update
🚨 Security
Pre-authentication path traversal and PHP file inclusion during user lookup
This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication.
This vulnerability is of high severity for all Kirby sites.
- CVE ID: CVE-2026-44177
- Severity: high (CVSS score 8.8)
- Advisory: GHSA-9hx7-c53c-v6x8
Thanks to @offset for responsibly reporting the identified issue.
Arbitrary Method Call via REST API search and collection query endpoints
This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.
This vulnerability is of high severity for affected sites and has a high real-world impact.
- CVE ID: CVE-2026-44174
- Severity: high (CVSS score 8.7)
- Advisory: GHSA-86rh-h242-j8xp
Thanks to @mojamojam for responsibly reporting the identified issue.
Cross-site scripting (XSS) from list field content in the site frontend
This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block.
This vulnerability is of high severity for affected sites.
Your Kirby sites are not affected if you don't use the list field (or blocks field with the list block) in any of your blueprints, or if every user who can edit content is fully trusted. The attack only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into list field content.
- CVE ID: CVE-2026-44175
- Severity: high (CVSS score 8.5)
- Advisory: GHSA-5fhx-9q32-q257
Thanks to @offset for responsibly reporting the identified issue.
Cross-site scripting (XSS) from links in KirbyTags, image blocks and imported blocks HTML in the site frontend
This vulnerability affects all Kirby sites that allow the use of the (link: …) KirbyTag, the link: parameter of the (image: …) KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any textarea or blocks field, or write access to content files through another vector (e.g. a frontend form or content sync pipeline). Another attack vector is the use of Html::a() or Html::link() with untrusted user input.
This vulnerability is of high severity for affected sites.
Your Kirby sites are not affected if none of the mentioned KirbyTags or block types are used, or if every user who can edit content is fully trusted. The attack only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into the textarea or blocks field content.
- CVE ID: CVE-2026-45368
- Severity: high (CVSS score 8.4)
- Advisory: GHSA-qvjf-922g-pj44
Thanks to @offset for responsibly reporting the identified issue.
pages.access permission is not checked during rendering of page drafts
This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (pages.access permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.
Your Kirby sites are not affected if you intend all users of your site to be able to access all page drafts of the site. The vulnerability can only be exploited by authenticated users. Write actions are not affected by this vulnerability.
- CVE ID: CVE-2026-44176
- Severity: moderate (CVSS score 6.0)
- Advisory: GHSA-2xw4-v2wx-hqq9
Thanks to @adrgs for responsibly reporting the identified issue.
Content locks disclose IDs and emails of inaccessible users from users.access/list permissions
This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets users.access: false or users.list: false as permission for the authenticated user role and/or as option for the target user role.
Your Kirby site is not affected if all authenticated Panel users are permitted to access and list other users. The vulnerability can only be exploited by authenticated users.
- CVE ID: CVE-2026-45334
- Severity: moderate (CVSS score 5.3)
- Advisory: GHSA-39vq-49qm-r2mc
Thanks to Matteo Panzeri (@matte1782) for responsibly reporting the identified issue.
✨ Enhancements
- New
Kirby\Sane\Sane::sanitizeProseMirrorFields()method which sanitizes the value and converts non-breaking spaces to HTML entity to match ProseMirrors internal handling - New
Kirby\Http\Url::hasDangerousScheme()
🚨 Security fixes
- Validate user ID format and path containment in the
accountsdirectory during user lookup with$users->find() - Respect page access permissions when accessing/rendering drafts in frontend
- Remove insecure search options (sort and filter) in API routes
- New
Kirby\Toolkit\BlockAccessAttributefor model methods that must not be used by filterBy or sortBy in Collections. - List field values now are sanitized to protect it from XSS attacks
- Fix information disclosure in content lock data: the locking user's email and ID now hidden from users who do not have permission to list that user
- Ensure
Kirby\Toolkit\Html::link()andKirby\Http\Url::isAbsolute()do not allow dangerous schemes - The blocks HTML importer no longer imports link URLs with dangerous schemes
🐛 Bug fixes
- Fixed using
::filter()/::filterBy()with non-default separators #8062 - Fixed picker dialogs to respect the
search: falseoption #8054 - Fixed multiselect field search (thanks @lauriii) #8067
- Fixed JSON response error showing up on throttled Panel API calls #7351
- Imagick thumb driver: fixed preserving profiles listed in
profilesoption #8066 - Improve thumbnail generation reliability by writing thumbs #4632
- Panel file view: refresh view after replacing the file #8073
- Prevents ghost duplicate page folders caused by stale concurrent writes after page reordering #7964
- Fixed return type docs for
Collection::first()andCollection::last()to includenullfor empty collections #8094 - Pagination is now visible in the file-browser dialog #8080
- Fixed chunked uploads using the wrong file blueprint #8086
- Fixed first toggles option in blocks is selectable again #8093
- Time field: Fixed min/max validation message #8128
🚨 Breaking changes
Html::link()does no longer acceptjavascript:URLs. This is a dangerous anti-pattern with many better frontend alternatives and leaves too much space for potential attacks.
🧹 Housekeeping
- Upgrade npm dependencies #8060