👀 Get a glimpse of Kirby 5 Learn more
Skip to content
    Search by Algolia Algolia

    Security Policy

    Supported Versions

    Kirby 4.8.0 is the latest Kirby release.

    There are no known vulnerabilities in all releases since 4.7.1. Previous major releases have received backported fixes for known vulnerabilities, see below.

    In the following table and calendar, you can find all major releases with their current support status:

    Kirby Version Supported Initial Release Feature Updates Until Security Updates Until
    v4 November 28, 2023 Next major release November 28, 2026
    v3.10 ⚠️ December 19, 2023 December 19, 2023 December 1, 2025
    v3.9 ⚠️ January 17, 2023 November 28, 2023 December 1, 2025
    v3.8 October 6, 2022 January 17, 2023 December 2, 2024
    v3.7 June 27, 2022 October 6, 2022 June 27, 2024
    v3.6 November 16, 2021 June 27, 2022 June 27, 2024
    v3.5 December 15, 2020 November 16, 2021 November 16, 2023
    v3 February 5, 2019 December 15, 2020 November 16, 2021
    v2 October 7, 2014 February 5, 2019 January 1, 2021
    v1 January 9, 2012 October 7, 2014 February 1, 2016
    v3.5 v3.6 v3.7 v3.8 v3.9 v3.10 v4 Jan 1, 2022 Jan 1, 2023 Jan 1, 2024 Jan 1, 2025 Jan 1, 2026 Jan 1, 2027 Jan 1, 2028 Jan 1, 2029 Today: Jun 23, 2025
    This marks the major release with active support. This release receives functionality updates, improvements and bug fixes.
    ⚠️ Releases with this symbol only receive security updates. Read more ›
    Releases with this symbol have reached their end of life and should not be used in production any longer. Read more ›

    If you need the version information from this page in a machine-readable format, you can use the JSON representation.

    Past Security Incidents

    Affected Description Severity CVE ID Fixed in
    <=3.9.8.2
    3.10.0 - 3.10.1.1
    4.0.0 - 4.7.0     		Path traversal of collection names during file system lookup Read more › medium (6.3) CVE-2025-31493 3.9.8.3 3.10.1.2 4.7.1
    <=3.9.8.2
    3.10.0 - 3.10.1.1
    4.0.0 - 4.7.0     		Path traversal in the router for PHP's built-in server Read more › low (2.3) CVE-2025-30207 3.9.8.3 3.10.1.2 4.7.1
    <=3.9.8.2
    3.10.0 - 3.10.1.1
    4.0.0 - 4.7.0     		Path traversal of snippet names during file system lookup Read more › medium (6.3) CVE-2025-30159 3.9.8.3 3.10.1.2 4.7.1
    <=3.6.6.5
    3.7.0 - 3.7.5.4
    3.8.0 - 3.8.4.3
    3.9.0 - 3.9.8.1
    3.10.0 - 3.10.1
    4.0.0 - 4.3.0     		Insufficient permission checks in the language settings Read more › high (8.1) CVE-2024-41964 3.6.6.6 3.7.5.5 3.8.4.4 3.9.8.2 3.10.1.1 4.3.1
    4.0.0 - 4.1.0 Cross-site scripting (XSS) in the link field "Custom" type Read more › medium (4.6) CVE-2024-27087 4.1.1
    <=3.6.6.4
    3.7.0 - 3.7.5.3
    3.8.0 - 3.8.4.2
    3.9.0 - 3.9.8
    3.10.0
    4.0.0 - 4.1.0     		Unrestricted file upload of user avatar images Read more › medium (4.6) CVE-2024-26483 3.6.6.5 3.7.5.4 3.8.4.3 3.9.8.1 3.10.0.1 4.1.1
    <=3.6.6.4
    3.7.0 - 3.7.5.3
    3.8.0 - 3.8.4.2
    3.9.0 - 3.9.8
    3.10.0
    4.0.0 - 4.1.0     		Self cross-site scripting (self-XSS) in the URL field Read more › medium (4.2) CVE-2024-26481 3.6.6.5 3.7.5.4 3.8.4.3 3.9.8.1 3.10.0.1 4.1.1
    <=3.5.8.2
    3.6.0 - 3.6.6.2
    3.7.0 - 3.7.5.1
    3.8.0 - 3.8.4
    3.9.0 - 3.9.5     		Denial of service from unlimited password lengths Read more › medium (5.3) CVE-2023-38492 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
    <=3.5.8.2
    3.6.0 - 3.6.6.2
    3.7.0 - 3.7.5.1
    3.8.0 - 3.8.4
    3.9.0 - 3.9.5     		Cross-site scripting (XSS) from MIME type auto-detection of uploaded files Read more › medium (5.7) CVE-2023-38491 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
    <=3.5.8.2
    3.6.0 - 3.6.6.2
    3.7.0 - 3.7.5.1
    3.8.0 - 3.8.4
    3.9.0 - 3.9.5     		XML External Entity (XXE) vulnerability in the XML data handler Read more › medium (6.8) CVE-2023-38490 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
    <=3.5.8.2
    3.6.0 - 3.6.6.2
    3.7.0 - 3.7.5.1
    3.8.0 - 3.8.4
    3.9.0 - 3.9.5     		Insufficient Session Expiration after a password change Read more › high (7.3) CVE-2023-38489 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
    <=3.5.8.2
    3.6.0 - 3.6.6.2
    3.7.0 - 3.7.5.1
    3.8.0 - 3.8.4
    3.9.0 - 3.9.5     		Field injection in the KirbyData text storage handler Read more › high (7.1) CVE-2023-38488 3.5.8.3 3.6.6.3 3.7.5.2 3.8.4.1 3.9.6
    <=3.5.8.1
    3.6.0 - 3.6.6.1
    3.7.0 - 3.7.5
    3.8.0     		User enumeration in the brute force protection Read more › medium (6.5) CVE-2022-39315 3.5.8.2 3.6.6.2 3.7.5.1 3.8.1
    3.5.0 - 3.5.8.1
    3.6.0 - 3.6.6.1
    3.7.0 - 3.7.5
    3.8.0     		User enumeration in the code-based login and password reset forms Read more › medium (4.8) CVE-2022-39314 3.5.8.2 3.6.6.2 3.7.5.1 3.8.1
    <=3.5.8 Cross-site scripting (XSS) from dynamic options in the multiselect field Read more › medium (5.9) CVE-2022-36037 3.5.8.1
    3.5.7 - 3.5.8
    3.6.0 - 3.6.6
    3.7.0 - 3.7.3     		Cross-site scripting (XSS) from content entered in the tags and multiselect fields Read more › high (7.1) CVE-2022-35174 3.5.8.1 3.6.6.1 3.7.4
    3.5.0 - 3.5.7.1 Cross-site scripting (XSS) from image block content in the site frontend Read more › medium (5.4) CVE-2021-41258 3.5.8
    3.5.0 - 3.5.7.1 Cross-site scripting (XSS) from writer field content in the site frontend Read more › medium (5.4) CVE-2021-41252 3.5.8
    <=3.5.6 Cross-site scripting (XSS) from field and configuration text displayed in the Panel Read more › high (7.1) CVE-2021-32735 3.5.7
    <=3.5.3.1 Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files Read more › high (7.6) CVE-2021-29460 3.5.4
    <=2.5.13
    3.0.0 - 3.4.4     		Remote code execution (RCE) from PHP Phar archives uploaded by Panel users as content files Read more › critical (10) CVE-2020-26255 2.5.14 3.4.5
    <=2.5.13
    3.0.0 - 3.3.5     		External Initialization of the Panel on .dev domains and some reverse proxy setups Read more › medium (6.5) CVE-2020-26253 2.5.14 3.3.6

    Security Guide

    Please follow our security guide to keep your Kirby installation secure.

    Reporting a Vulnerability

    If you have spotted a vulnerability in Kirby's core or the Panel, please make sure to let us know immediately. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

    You can always contact us directly at security@getkirby.com.
    If you want to encrypt your message, our GPG key is 6E6B 057A F491 FFAD 363F  6F49 9101 10FA A459 E120.

    You can also use the security advisory form on GitHub to securely and privately report a vulnerability to us.

    We will send you a response as soon as possible and will keep you informed on our progress towards a fix and announcement.

    Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed.

    By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.

    Also please do not request a CVE ID from organizations like MITRE. The responsible CVE Numbering Authority (CNA) for Kirby is GitHub. We can and will request a CVE ID for each confirmed vulnerability and will provide it to you in advance of the coordinated release.