Kirby 2.5.7

Kirby 2.5.7 is a bug fix release with a few additional smaller enhancements.

This is also a security release. It fixes two issues that have been reported to us recently:

  • A directory traversal issue that would allow attackers to read any file of your Kirby installation via the plugin assets feature or the field assets feature.
    This issue affects all Kirby sites.
  • A Cross-site Scripting (XSS) attack in the Panel that occurs when displaying specially prepared SVG images that have been uploaded as a content file.
    This issue only affects you if not all of your Panel users can be trusted or if you use a file upload form in the front-end that allows visitors to upload SVG files.

We take security very seriously, which is why we are also releasing the patch updates 2.3.3 and 2.4.2 for those who can't easily update their sites to 2.5.

It is strongly recommended to update to one of the fixed Kirby versions.

Thanks to Kacper Szurek and Ishaq Mohammed for letting us know about the issues.


  • Fixed directory traversal issue in the field assets route
  • Fixed XSS issue with displaying SVGs in the file views
  • Better styling for readonly Structure fields in the table style #1111 #1114
  • Allow users with the panel.user.update permission to update users even if they are not admins #1097
  • Support replacing a user avatar with one of a different file type #1103
  • Fixed file upload issues in IE 11 #1042
  • Added a default option for the User field #810
  • The Radiobuttons and Checkboxes fields now also validate if there is no option available so that the page can be saved in this situation (making the field required is unaffected) #1073
  • Don't warn about missing license on .test and .localhost testing domains #1102
  • Stop form events from being registered multiple times


  • Fixed directory traversal issue in the plugin assets route
  • Don't redirect to the homepage if an invalid URL is accessed in multilang sites with no language at the domain root #609
  • $pages->findByURI($uri) no longer returns the parent page if a URI like projects/projects is given and that page itself doesn't exist #605
  • Trim trailing slashes in multilang URL config to prevent double slashes #604


Our partners

CDN by KeyCDN Search by Algolia