DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29905: CVE-2026-29905: Persistent Denial of Service via Malformed Image Upload in Kirby CMS

#security #cve #cybersecurity

CVE-2026-29905: Persistent Denial of Service via Malformed Image Upload in Kirby CMS

Vulnerability ID: CVE-2026-29905
CVSS Score: 6.5
Published: 2026-03-27

Kirby CMS through version 5.1.4 contains a persistent Denial of Service (DoS) vulnerability triggered by malformed image uploads. The application fails to validate the return value of the PHP getimagesize() function, resulting in a fatal TypeError that renders affected administrative or frontend pages permanently inaccessible until the malformed file is manually removed.

TL;DR

Authenticated DoS in Kirby CMS <= 5.1.4 due to unchecked getimagesize() return values on malformed uploads, causing fatal PHP TypeErrors.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-252 (Unchecked Return Value)
  • Attack Vector: Network (Authenticated File Upload)
  • CVSS v3.1 Score: 6.5 (Medium)
  • EPSS Score: 0.00034 (0.03%)
  • Impact: Persistent Denial of Service (High Availability Loss)
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • Kirby CMS Panel
  • Kirby CMS Frontend Rendering Engine
  • PHP 8.0+ Environments hosting vulnerable Kirby versions
  • Kirby CMS: <= 5.1.4 (Fixed in: 5.2.0-rc.1)

Exploit Details

  • GitHub: Technical description and proof-of-concept for the vulnerability

Mitigation Strategies

  • Upgrade Kirby CMS to version 5.2.0-rc.1 or a subsequent stable release.
  • Audit and restrict file upload privileges (Editor role and above) to trusted users.
  • Implement server-level monitoring for PHP Fatal Errors (HTTP 500) to quickly detect exploitation attempts.
  • Configure WAF rules to perform deep packet inspection on file uploads to verify file signatures match the declared extension.

Remediation Steps:

  1. Identify the affected server and obtain SSH or FTP access.
  2. Navigate to the Kirby CMS installation directory, specifically the content/ folder.
  3. Use system utilities (like the file command) to identify files with image extensions that do not contain valid image headers.
  4. Delete the malformed files from the filesystem to instantly restore service.
  5. Run the application update procedure (e.g., composer update getkirby/cms) to apply the permanent fix.

References

Read the full report for CVE-2026-29905 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)