CVE-2026-42174
Received
Received - Intake
Improper Access Control in Kirby CMS
Vulnerability report for CVE-2026-42174, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-09
Last updated on: 2026-05-18
Assigner: GitHub, Inc.
Description
Description
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | to 4.9.0 (exc) |
| getkirby | kirby | From 5.0.0 (inc) to 5.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |