DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34587: CVE-2026-34587: Server-Side Template Injection and Authorization Bypass in Kirby CMS

#security #cve #cybersecurity

CVE-2026-34587: Server-Side Template Injection and Authorization Bypass in Kirby CMS

Vulnerability ID: CVE-2026-34587
CVSS Score: 7.6
Published: 2026-04-23

Kirby CMS versions prior to 4.9.0 and 5.4.0 contain a critical double template resolution vulnerability leading to Server-Side Template Injection (SSTI). The software also suffers from an authorization bypass in the REST API, allowing authenticated users to circumvent editorial workflows and publish content without appropriate status-change permissions.

TL;DR

Kirby CMS <4.9.0 and 5.0.0-5.3.x are vulnerable to SSTI via double evaluation of dynamic option fields and a REST API authorization bypass. Attackers with low-privilege access can expose sensitive system data or publish unauthorized content.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Server-Side Template Injection & Auth Bypass
  • CWE ID: CWE-1336, CWE-285
  • CVSS Score: 7.6 (High)
  • Attack Vector: Network
  • Privileges Required: Low
  • Exploit Status: PoC Available

Affected Systems

  • Kirby CMS < 4.9.0
  • Kirby CMS 5.0.0
  • Kirby CMS 5.1.0
  • Kirby CMS 5.2.0
  • Kirby CMS 5.3.0
  • kirby: < 4.9.0 (Fixed in: 4.9.0)
  • kirby: >= 5.0.0, < 5.4.0 (Fixed in: 5.4.0)

Code Analysis

Commit: a88ef33

Fix for XML CDATA validation

Commit: d6b9a70

Authorization hardening for system API routes

Commit: c11d9f2

Core fix for double-resolution in Option classes

Mitigation Strategies

  • Upgrade Kirby CMS to version 4.9.0 or 5.4.0.
  • Audit custom blueprints for dynamic options fields using query: or api: attributes.
  • Review RBAC configurations and restrict pages.create permissions for untrusted users.
  • Deploy Web Application Firewall (WAF) rules to drop unauthorized REST API requests modifying the isDraft parameter.

Remediation Steps:

  1. Verify the current Kirby CMS version running in the production environment.
  2. Review release notes for versions 4.9.0 and 5.4.0 to identify potential breaking changes in custom code.
  3. Download the appropriate updated release from the official getkirby GitHub repository.
  4. Replace the core system files with the patched version.
  5. Run regression testing on Panel UI elements utilizing dynamic option queries.
  6. Verify that API-based page creation defaults to draft state correctly.

References

Read the full report for CVE-2026-34587 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)