CVE-2026-44174
Received Received - Intake

Kirby CMS Arbitrary Method Execution via Collection Queries

Vulnerability report for CVE-2026-44174, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getkirby kirby to 5.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Kirby CMS versions before 4.9.1 and 5.4.1 had a flaw where model attributes in collection queries were not properly validated. This allowed attackers to inject arbitrary model methods into queries, potentially exposing sensitive data like password hashes or server paths, or performing actions like privilege escalation or mass deletion.

Impact Analysis

An attacker could exploit this to steal password hashes, access server file paths, escalate privileges to another user, or delete large amounts of data if they have sufficient permissions. This could lead to data breaches, unauthorized access, or service disruption.

Compliance Impact

This vulnerability could lead to unauthorized data access or deletion, violating GDPR's data protection principles or HIPAA's security requirements for protected health information. Organizations using vulnerable Kirby versions may face compliance violations and potential penalties.

Mitigation Strategies

Upgrade Kirby to version 4.9.1 or 5.4.1 or later to address the vulnerability. Review and restrict user permissions to prevent unauthorized access to sensitive methods like password() or delete().

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart