🚀 A new era: Kirby 4 Get to know
Skip to content

Security Policy

Supported Versions

Kirby Version Supported Support Status
4.4.1 Latest Kirby release
>=4.3.1 No known vulnerabilities
4.* Actively supported
3.10.* ⚠️ Security support until December 1, 2025
3.9.* ⚠️ Security support until December 1, 2025
3.8.* ⚠️ Security support until December 1, 2024
3.* <3.8 Not supported (end of life) since June 27, 2024
2.* Not supported (end of life) since January 1, 2021
1.* Not supported (end of life) since February 1, 2016

If you need the version information from this page in a machine-readable format, you can use the JSON representation.

Past Security Incidents

Affected Description Severity CVE ID Fixed in
<=3.6.6.5
3.7.0-3.7.5.4
3.8.0-3.8.4.3
3.9.0-3.9.8.1
3.10.0-3.10.1
4.0.0-4.3.0
Insufficient permission checks in the language settings Read more › high CVE-2024-41964 3.6.6.6 3.7.5.5 3.8.4.4 3.9.8.2 3.10.1.1 4.3.1
4.0.0-4.1.0 Cross-site scripting (XSS) in the link field "Custom" type Read more › medium CVE-2024-27087 4.1.1
<=3.6.6.4
3.7.0-3.7.5.3
3.8.0-3.8.4.2
3.9.0-3.9.8
3.10.0
4.0.0-4.1.0
Unrestricted file upload of user avatar images Read more › medium CVE-2024-26483 3.6.6.5 3.7.5.4 3.8.4.3 3.9.8.1 3.10.0.1 4.1.1
<=3.6.6.4
3.7.0-3.7.5.3
3.8.0-3.8.4.2
3.9.0-3.9.8
3.10.0
4.0.0-4.1.0
Self cross-site scripting (self-XSS) in the URL field Read more › medium CVE-2024-26481 3.6.6.5 3.7.5.4 3.8.4.3 3.9.8.1 3.10.0.1 4.1.1
<=3.5.8.2
3.6.0 - 3.6.6.2
3.7.0 - 3.7.5.1
3.8.0 - 3.8.4
3.9.0 - 3.9.5
Denial of service from unlimited password lengths Read more › medium CVE-2023-38492 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
<=3.5.8.2
3.6.0 - 3.6.6.2
3.7.0 - 3.7.5.1
3.8.0 - 3.8.4
3.9.0 - 3.9.5
Cross-site scripting (XSS) from MIME type auto-detection of uploaded files Read more › medium CVE-2023-38491 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
<=3.5.8.2
3.6.0 - 3.6.6.2
3.7.0 - 3.7.5.1
3.8.0 - 3.8.4
3.9.0 - 3.9.5
XML External Entity (XXE) vulnerability in the XML data handler Read more › medium CVE-2023-38490 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
<=3.5.8.2
3.6.0 - 3.6.6.2
3.7.0 - 3.7.5.1
3.8.0 - 3.8.4
3.9.0 - 3.9.5
Insufficient Session Expiration after a password change Read more › high CVE-2023-38489 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
<=3.5.8.2
3.6.0 - 3.6.6.2
3.7.0 - 3.7.5.1
3.8.0 - 3.8.4
3.9.0 - 3.9.5
Field injection in the KirbyData text storage handler Read more › high CVE-2023-38488 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
<=3.5.8.1
3.6.0 - 3.6.6.1
3.7.0 - 3.7.5
3.8.0
User enumeration in the brute force protection Read more › medium CVE-2022-39315 3.5.8.2 3.6.6.2 3.7.5.1 3.8.1
3.5.0 - 3.5.8.1
3.6.0 - 3.6.6.1
3.7.0 - 3.7.5
3.8.0
User enumeration in the code-based login and password reset forms Read more › medium CVE-2022-39314 3.5.8.2 3.6.6.2 3.7.5.1 3.8.1
<=3.5.8 Cross-site scripting (XSS) from dynamic options in the multiselect field Read more › medium CVE-2022-36037 3.5.8.1
3.5.7 - 3.5.8
3.6.0 - 3.6.6
3.7.0 - 3.7.3
Cross-site scripting (XSS) from content entered in the tags and multiselect fields Read more › high CVE-2022-35174 3.5.8.1 3.6.6.1 3.7.4
3.5.0 - 3.5.7.1 Cross-site scripting (XSS) from image block content in the site frontend Read more › medium CVE-2021-41258 3.5.8
3.5.0 - 3.5.7.1 Cross-site scripting (XSS) from writer field content in the site frontend Read more › medium CVE-2021-41252 3.5.8
<=3.5.6 Cross-site scripting (XSS) from field and configuration text displayed in the Panel Read more › high CVE-2021-32735 3.5.7
<=3.5.3.1 Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files Read more › high CVE-2021-29460 3.5.4
<=2.5.13
3.0.0 - 3.4.4
Remote code execution (RCE) from PHP Phar archives uploaded by Panel users as content files Read more › critical CVE-2020-26255 2.5.14 3.4.5
<=2.5.13
3.0.0 - 3.3.5
External Initialization of the Panel on .dev domains and some reverse proxy setups Read more › medium CVE-2020-26253 2.5.14 3.3.6

Security Guide

Please follow our security guide to keep your Kirby installation secure.

Reporting a Vulnerability

If you have spotted a vulnerability in Kirby's core or the Panel, please make sure to let us know immediately. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

You can always contact us directly at security@getkirby.com.
If you want to encrypt your message, our GPG key is 6E6B 057A F491 FFAD 363F  6F49 9101 10FA A459 E120.

You can also use the security advisory form on GitHub to securely and privately report a vulnerability to us.

We will send you a response as soon as possible and will keep you informed on our progress towards a fix and announcement.

Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed.

By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.

Also please do not request a CVE ID from organizations like MITRE. The responsible CVE Numbering Authority (CNA) for Kirby is GitHub. We can and will request a CVE ID for each confirmed vulnerability and will provide it to you in advance of the coordinated release.