CVE-2026-49274

Source
https://cve.org/CVERecord?id=CVE-2026-49274
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49274.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49274
Aliases
Published
2026-07-09T18:38:32.436Z
Modified
2026-07-16T03:30:58.595319714Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Kirby: `pages.access` permission is not checked in the pages picker for parent pages
Details

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49274.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/getkirby/kirby

Affected ranges

Type
GIT
Repo
https://github.com/getkirby/kirby
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.9.4"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.4.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

3.*
3.0.0
3.0.1
3.0.2
3.0.2-rc.1
3.0.3
3.0.3-rc.1
3.0.3-rc.2
3.0.3-rc.3
3.1.0
3.1.0-rc.1
3.1.1
3.1.2
3.1.2-rc.1
3.1.3
3.1.3-rc.1
3.1.4
3.1.4-rc.1
3.2.0
3.2.0-rc.1
3.2.0-rc.2
3.2.0-rc.3
3.2.0-rc.4
3.2.1
3.2.1-rc.1
3.2.2
3.2.3-rc.1
3.2.5
3.2.5-rc.1
3.2.5-rc.2
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.4.0
3.4.1
3.4.2
3.5.0
3.5.0-rc.1
3.5.0-rc.2
3.5.0-rc.3
3.5.0-rc.4
3.5.0-rc.5
3.5.0-rc.6
3.5.0-rc.7
3.5.1
3.5.1-rc.1
3.5.2
3.5.3
3.5.3.1
3.5.4
3.5.5
3.5.6
3.5.7
3.5.7.1
3.6.0
3.6.1.1
3.6.2
3.6.2-rc.1
3.6.2-rc.2
3.6.2-rc.3
3.6.3
3.6.3.1
3.6.4
3.6.5
3.6.6
3.7.0
3.7.0.1
3.7.0.2
3.7.1
3.7.2
3.7.2.1
3.7.3
3.7.4
3.7.4-rc.1
3.7.5
3.8.0
3.8.1
3.8.1.1
3.8.2
3.8.3
3.8.4
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.6-rc.1
3.9.6.1
3.9.7
3.9.8
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.8.0
4.9.0
4.9.1
4.9.2
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.2.2
5.2.3
5.3.0
5.3.1
5.3.2
5.3.3
5.4.0
5.4.1
5.4.2
5.4.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49274.json"