Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.
History

Sat, 18 Jul 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
Vendors & Products Getkirby
Getkirby kirby

Thu, 16 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.
Title Kirby: Arbitrary Method Call via REST API search and collection query endpoints
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-16T21:13:43.133Z

Updated: 2026-07-18T03:17:09.100Z

Reserved: 2026-05-05T14:39:34.923Z

Link: CVE-2026-44174

cve-icon Vulnrichment

Updated: 2026-07-18T03:17:04.659Z

cve-icon NVD

No data.

cve-icon Redhat

No data.