Description
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-23q2-54qv-rq5x | Kirby: `pages.access` permission is not checked in the pages picker for parent pages |
References
History
Thu, 09 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getkirby
Getkirby kirby |
|
| Vendors & Products |
Getkirby
Getkirby kirby |
Thu, 09 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4. | |
| Title | Kirby: `pages.access` permission is not checked in the pages picker for parent pages | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T18:38:32.436Z
Reserved: 2026-05-28T20:07:58.860Z
Link: CVE-2026-49274
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T20:45:03Z
Weaknesses
Github GHSA