CVE-2026-54003
Received
Received - Intake
Kirby CMS Panel Installation via Proxy Headers
Vulnerability report for CVE-2026-54003, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: GitHub, Inc.
Description
Description
Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getkirby | kirby | 4.9.4 |
| getkirby | kirby | 5.4.4 |
| getkirby | kirby | to 4.9.4 (exc) |
| getkirby | kirby | From 5.4.4 (inc) to 5.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-454 | The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors. |