HarborGuard / CVE
Back to search
HIGHCVE-2026-42137Published Modified CNA GitHub_M

CVE-2026-42137: Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • getkirby / kirby
    < 4.9.0 · >= 5.0.0, < 5.4.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References
CVE-2026-42137: Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog | HarborGuard CVE