Security Policy

Supported Versions

Kirby Version	Supported	Support Status
3.6.6	✅	Latest Kirby release, actively supported
>=3.5.8	✅	No known vulnerabilities
2.*	❌	Not supported (end of life) since January 1, 2021
1.*	❌	Not supported (end of life) since February 1, 2016

If you need the version information from this page in a machine-readable format, you can use the JSON representation.

Past Security Incidents

Affected	Description	Severity	Details	Fixed in
3.5.0-3.5.7.1	Cross-site scripting (XSS) from image block content in the site frontend	medium	CVE-2021-41258 GitHub	3.5.8
3.5.0-3.5.7.1	Cross-site scripting (XSS) from writer field content in the site frontend	medium	CVE-2021-41252 GitHub	3.5.8
<=3.5.6	Cross-site scripting (XSS) from field and configuration text displayed in the Panel	high	CVE-2021-32735 GitHub	3.5.7
<=3.5.3.1	Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files	high	CVE-2021-29460 GitHub	3.5.4
<=3.4.4	PHP Phar archives could be uploaded by Panel users as content files and executed	critical	CVE-2020-26255 GitHub	3.4.5
<=3.3.5	Registration block: .dev domains and some reverse proxy setups were treated as local	medium	CVE-2020-26253 GitHub	3.3.6

Security Guide

Please follow our security guide to keep your Kirby installation secure.

Reporting a Vulnerability

If you have spotted a vulnerability in Kirby's core or the Panel, please make sure to let us know immediately. We take any report very seriously and we will react as soon as possible.

You can always write us directly at security@getkirby.com.
If you want to encrypt your message, our GPG key is 6E6B 057A F491 FFAD 363F 6F49 9101 10FA A459 E120.

Please do not write to us publicly, e.g. in the forum, as making security vulnerabilities public before they are fixed can give attackers valuable time to exploit the issue. By letting us know directly, you can protect other Kirby users from such attacks.