getkirby/cms
Kirby CMS Missing Authorization Check in Pages Field Picker
Missing authorization check in the backend logic for the page picker used in the `pages` field.
Kirby CMS HTTP Header Injection in Http\Remote before 4.9.4 and 5.4.4
Kirby CMS versions before 4.9.4 and 5.4.4 allowed HTTP header injection via newline characters in header values passed to the `Kir
Kirby CMS: Missing authorization check in clean file redirects for top-level draft pages
Missing authorization check in clean file redirects for top-level draft pages allowed unauthorized access to files stored in draft
getkirby/cms: Writer field allows JavaScript URLs (self-XSS)
The writer field's link and email marks allowed JavaScript URLs, enabling self-XSS attacks.
Kirby CMS: Dom::sanitize() fails to sanitize unwrapped nodes (XSS)
Dom::sanitize() did not sanitize nodes unwrapped from their parent, allowing stored XSS via writer/list fields or Sane API.
Kirby CMS: Unauthenticated admin account creation via forwarded headers
The `isLocal` check in Panel installation logic did not properly validate `Forwarded: for=.
Kirby CMS Missing Authorization Check in /api/site/find Route
Missing authorization check in `/api/site/find` route allowed authenticated users to retrieve page information (including full con