{ "latest": "5.4.4", "versions": { "5.4.4": { "status": "latest", "description": "Latest Kirby release" }, ">=5.4.4": { "status": "no-vulnerabilities", "description": "No known vulnerabilities" }, "5.*": { "status": "active-support", "description": "Actively supported", "latest": "5.4.4", "initialRelease": "2025-06-24", "endOfActiveSupport": null, "endOfLife": "2028-06-24" }, "4.*": { "status": "security-support", "description": "Security support until November 28, 2026", "latest": "4.9.4", "initialRelease": "2023-11-28", "endOfActiveSupport": "2025-06-24", "endOfLife": "2026-11-28" }, "3.10.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 1, 2025", "latest": "3.10.1.2", "initialRelease": "2023-12-19", "endOfActiveSupport": "2023-12-19", "endOfLife": "2025-12-01" }, "3.9.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 1, 2025", "latest": "3.10.1.2", "initialRelease": "2023-01-17", "endOfActiveSupport": "2023-11-28", "endOfLife": "2025-12-01" }, "3.8.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 2, 2024", "latest": "3.10.1.2", "initialRelease": "2022-10-06", "endOfActiveSupport": "2023-01-17", "endOfLife": "2024-12-02" }, "3.7.*": { "status": "end-of-life", "description": "Not supported (end of life) since June 27, 2024", "latest": "3.10.1.2", "initialRelease": "2022-06-27", "endOfActiveSupport": "2022-10-06", "endOfLife": "2024-06-27" }, "3.6.*": { "status": "end-of-life", "description": "Not supported (end of life) since June 27, 2024", "latest": "3.10.1.2", "initialRelease": "2021-11-16", "endOfActiveSupport": "2022-06-27", "endOfLife": "2024-06-27" }, "3.5.*": { "status": "end-of-life", "description": "Not supported (end of life) since November 16, 2023", "latest": "3.10.1.2", "initialRelease": "2020-12-15", "endOfActiveSupport": "2021-11-16", "endOfLife": "2023-11-16" }, "3.* <3.5": { "status": "end-of-life", "description": "Not supported (end of life) since November 16, 2021", "latest": "3.10.1.2", "initialRelease": "2019-02-05", "endOfActiveSupport": "2020-12-15", "endOfLife": "2021-11-16" }, "2.*": { "status": "end-of-life", "description": "Not supported (end of life) since January 1, 2021", "latest": "2.5.14", "initialRelease": "2014-10-07", "endOfActiveSupport": "2019-02-05", "endOfLife": "2021-01-01" }, "1.*": { "status": "end-of-life", "description": "Not supported (end of life) since February 1, 2016", "latest": "1.1.2", "initialRelease": "2012-01-09", "endOfActiveSupport": "2014-10-07", "endOfLife": "2016-02-01" } }, "urls": { "3.0.0 || 3.5.0 || 3.6.0 || 3.7.0 || 3.8.0 || 3.9.0 || 4.0.0 || 5.0.0": { "changes": "https://getkirby.com/releases/{{ version }}", "download": "https://github.com/getkirby/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, ">=3.0.0": { "changes": "https://github.com/getkirby/kirby/releases/tag/{{ version }}", "download": "https://github.com/getkirby/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, "2.*": { "changes": "https://github.com/getkirby-v2/kirby/releases/tag/{{ version }}", "download": "https://github.com/getkirby-v2/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, "1.*": { "changes": "https://github.com/getkirby-v1/starterkit/releases/tag/{{ version }}", "upgrade": "https://getkirby.com/releases/5" } }, "php": { "8.0": "2023-11-26", "8.1": "2025-12-31", "8.2": "2026-12-31", "8.3": "2027-12-31", "8.4": "2028-12-31", "8.5": "2029-12-31" }, "incidents": [ { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "`pages.access` permission is not checked in the `site/find` REST API route", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-r3w8-2c5r-h9j9", "severity": "high", "score": 7.1, "cve": "CVE-2026-54005", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "Access to files of top-level drafts is not protected by permissions", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-89cp-7p28-jffg", "severity": "medium", "score": 6.3, "cve": "CVE-2026-54004", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "External Initialization of the Panel on reverse proxy setups with the `Forwarded`, `X-Client-IP` or `X-Real-IP` header", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-whxw-24jc-cwmv", "severity": "critical", "score": 9.1, "cve": "CVE-2026-54003", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-wr9h-4r83-f4v6", "severity": "high", "score": 8.5, "cve": "CVE-2026-54002", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "Request header injection in `Http\\Remote`", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-4v4h-m2qq-ppgw", "severity": "medium", "score": 6.9, "cve": "CVE-2026-50188", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "Self cross-site scripting (self-XSS) in the writer field", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-rhj6-r49h-5932", "severity": "high", "score": 7.4, "cve": "CVE-2026-49276", "cvss": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.3 || 5.0.0 - 5.4.3", "fixed": "4.9.4, 5.4.4", "description": "`pages.access` permission is not checked in the pages picker for parent pages", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-23q2-54qv-rq5x", "severity": "medium", "score": 5.3, "cve": "CVE-2026-49274", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.0 || 5.0.0 - 5.4.0", "fixed": "4.9.1, 5.4.1", "description": "Cross-site scripting (XSS) from links in KirbyTags, image blocks and imported blocks HTML in the site frontend", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-qvjf-922g-pj44", "severity": "high", "score": 8.4, "cve": "CVE-2026-45368", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.0 || 5.0.0 - 5.4.0", "fixed": "4.9.1, 5.4.1", "description": "Content locks disclose IDs and emails of inaccessible users from `users.access/list` permissions", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-39vq-49qm-r2mc", "severity": "medium", "score": 5.3, "cve": "CVE-2026-45334", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "5.3.0 - 5.4.0", "fixed": "5.4.1", "description": "Pre-authentication path traversal and PHP file inclusion during user lookup", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8", "severity": "high", "score": 8.8, "cve": "CVE-2026-44177", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.0 || 5.0.0 - 5.4.0", "fixed": "4.9.1, 5.4.1", "description": "`pages.access` permission is not checked during rendering of page drafts", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-2xw4-v2wx-hqq9", "severity": "medium", "score": 6, "cve": "CVE-2026-44176", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.0 || 5.0.0 - 5.4.0", "fixed": "4.9.1, 5.4.1", "description": "Cross-site scripting (XSS) from list field content in the site frontend", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257", "severity": "high", "score": 8.5, "cve": "CVE-2026-44175", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.9.0 || 5.0.0 - 5.4.0", "fixed": "4.9.1, 5.4.1", "description": "Arbitrary Method Call via REST API search and collection query endpoints", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp", "severity": "high", "score": 8.7, "cve": "CVE-2026-44174", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "User avatar creation, replacement and deletion are not gated by user update permissions", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2", "severity": "medium", "score": 5.3, "cve": "CVE-2026-42174", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "`pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c", "severity": "high", "score": 7.1, "cve": "CVE-2026-42137", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "Read access to site, user and role information is not gated by permissions", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2", "severity": "high", "score": 7.1, "cve": "CVE-2026-42069", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "System API endpoint leaks installed version and license data to authenticated users", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572", "severity": "medium", "score": 5.3, "cve": "CVE-2026-42051", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "Page, file and user creation APIs bypass `create` permission check via unfiltered `blueprint` parameter", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-6gqr-mx34-wh8r", "severity": "high", "score": 7.1, "cve": "CVE-2026-41325", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "Page creation API bypasses `changeStatus` permission check via unfiltered `isDraft` parameter", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-w942-j9r6-hr6r", "severity": "medium", "score": 5.3, "cve": "CVE-2026-40099", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "Server-Side Template Injection (SSTI) via double template resolution in option rendering", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-jcjw-58rv-c452", "severity": "high", "score": 7.6, "cve": "CVE-2026-34587", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=4.8.0 || 5.0.0 - 5.3.3", "fixed": "4.9.0, 5.4.0", "description": "XML Injection in the XML creator toolkit", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr", "severity": "medium", "score": 6.9, "cve": "CVE-2026-32870", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N" }, { "affected": "5.0.0 - 5.2.1", "fixed": "5.2.2", "description": "Missing permission checks in the content changes API", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f", "severity": "medium", "score": 5.8, "cve": "CVE-2026-21896", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "affected": "5.0.0 - 5.1.3", "fixed": "5.1.4", "description": "Cross-site scripting (XSS) in the changes dialog", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j", "severity": "medium", "score": 5.1, "cve": "CVE-2025-65012", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal of collection names during file system lookup", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h", "severity": "medium", "score": 6.3, "cve": "CVE-2025-31493", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal in the router for PHP's built-in server", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg", "severity": "low", "score": 2.3, "cve": "CVE-2025-30207", "cvss": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal of snippet names during file system lookup", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp", "severity": "medium", "score": 6.3, "cve": "CVE-2025-30159", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "affected": "<=3.6.6.5 || 3.7.0 - 3.7.5.4 || 3.8.0 - 3.8.4.3 || 3.9.0 - 3.9.8.1 || 3.10.0 - 3.10.1 || 4.0.0 - 4.3.0", "fixed": "3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, 4.3.1", "description": "Insufficient permission checks in the language settings", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh", "severity": "high", "score": 8.1, "cve": "CVE-2024-41964", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "affected": "4.0.0 - 4.1.0", "fixed": "4.1.1", "description": "Cross-site scripting (XSS) in the link field \"Custom\" type", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-63h4-w25c-3qv4", "severity": "medium", "score": 4.6, "cve": "CVE-2024-27087", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "affected": "<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0", "fixed": "3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1", "description": "Unrestricted file upload of user avatar images", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43", "severity": "medium", "score": 4.6, "cve": "CVE-2024-26483", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "affected": "<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0", "fixed": "3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1", "description": "Self cross-site scripting (self-XSS) in the URL field", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6", "severity": "medium", "score": 4.2, "cve": "CVE-2024-26481", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "messages": [] }