CVE-2026-42137
MEDIUM WAF: Low
CVSS 6.5
Published: 2026-05-09
CWE-862 CWE-863
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| getkirby | kirby | up to 4.9.0 |
| getkirby | kirby | 5.0.0 - 5.4.0 |
References
- github.com (Release Notes)
- github.com (Release Notes)
- github.com (Patch, Vendor Advisory)