Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-23q2-54qv-rq5x | Kirby: `pages.access` permission is not checked in the pages picker for parent pages |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 09 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getkirby
Getkirby kirby |
|
| Vendors & Products |
Getkirby
Getkirby kirby |
Thu, 09 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4. | |
| Title | Kirby: `pages.access` permission is not checked in the pages picker for parent pages | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T18:38:32.436Z
Reserved: 2026-05-28T20:07:58.860Z
Link: CVE-2026-49274
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-09T20:45:03Z
Weaknesses
Github GHSA