CVE-2026-44177

Source
https://cve.org/CVERecord?id=CVE-2026-44177
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44177.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44177
Aliases
Published
2026-07-16T21:19:16.783Z
Modified
2026-07-19T03:31:10.229922778Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Kirby: Pre-authentication path traversal and PHP file inclusion during user lookup
Details

Kirby is an open-source content management system. In versions 5.3.0 and above but prior to 5.4.1, Kirby did not correctly validate the provided user ID, resulting in a path traversal vulnerability. Version 5.3.0 introduced a performance improvement to the Users collection that loaded user objects lazily when first needed. Users were queried by their ID, which was then used to locate the corresponding account directory under site/accounts. This affected the authentication API (accessible to unauthenticated requests), the users API (accessible only to authenticated users), and any other place that uses $users->find() to look up an individual user by a request-provided email or ID. As a result, an attacker could trigger arbitrary PHP file inclusion of files named  index.php (for example, the main PHP files of plugins), the impact of which depends on the logic those files contain. It also allowed probing for the existence of arbitrary directories on the server, letting attackers fingerprint the server and site setup, including installed plugins and the content structure. This issue has been fixed in version 5.4.1.

Database specific
{
    "cwe_ids": [
        "CWE-22",
        "CWE-98"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44177.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/getkirby/kirby

Affected ranges

Type
GIT
Repo
https://github.com/getkirby/kirby
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "5.3.0"
        },
        {
            "fixed": "5.4.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

5.*
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44177.json"