CVE-2026-44177

getkirby · kirby

Kirby CMS is vulnerable to path traversal and remote file inclusion, allowing unauthenticated attackers to potentially read sensitive files or execute arbitrary code.

Executive summary

A critical path traversal and remote file inclusion vulnerability in Kirby CMS allows unauthenticated attackers to potentially compromise the application.

Vulnerability

The application is susceptible to both path traversal (CWE-22) and improper control of filenames for include statements (CWE-98). This allows an unauthenticated attacker to manipulate file paths, potentially leading to the inclusion of arbitrary files or remote code execution.

Business impact

This vulnerability poses a severe risk to the business, as it allows unauthenticated attackers to bypass security boundaries. Successful exploitation could result in the disclosure of sensitive source code, configuration data, or total system compromise via remote file inclusion. The High CVSS score of 8.8 reflects the ease of exploitation and the potential for a total loss of application integrity.

Remediation

Immediate Action: Immediately update to Kirby version 5.4.1 or later to mitigate these vulnerabilities.

Proactive Monitoring: Monitor web server logs for suspicious requests involving file inclusion attempts or directory traversal markers.

Compensating Controls: Implement WAF rules to filter out malicious path traversal sequences and restrict the web user's ability to execute files outside of designated, secure directories.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the unauthenticated nature of this vulnerability and the high risk of remote code execution, patching to version 5.4.1 is mandatory. Administrators should perform this update immediately to prevent potential exploitation of the CMS.