|Kirby Version||Supported||Support Status|
|3.8.0||✅||Latest Kirby release|
|>=3.7.4||✅||No known vulnerabilities|
|3.6.*||⚠️||Security support until June 26, 2024|
|3.5.*||⚠️||Security support until November 15, 2023|
|3.* <3.5||❌||Not supported (end of life) since November 16, 2021|
|2.*||❌||Not supported (end of life) since January 1, 2021|
|1.*||❌||Not supported (end of life) since February 1, 2016|
If you need the version information from this page in a machine-readable format, you can use the JSON representation.
|Affected||Description||Severity||CVE ID||Fixed in|
|<=3.5.8||Cross-site scripting (XSS) from dynamic options in the multiselect field Read more ›||medium||CVE-2022-36037||18.104.22.168|
|3.5.7 - 3.5.8 || 3.6.0 - 3.6.6 || 3.7.0 - 3.7.3||Cross-site scripting (XSS) from content entered in the tags and multiselect fields Read more ›||high||CVE-2022-35174||22.214.171.124 126.96.36.199 3.7.4|
|3.5.0 - 188.8.131.52||Cross-site scripting (XSS) from image block content in the site frontend Read more ›||medium||CVE-2021-41258||3.5.8|
|3.5.0 - 184.108.40.206||Cross-site scripting (XSS) from writer field content in the site frontend Read more ›||medium||CVE-2021-41252||3.5.8|
|<=3.5.6||Cross-site scripting (XSS) from field and configuration text displayed in the Panel Read more ›||high||CVE-2021-32735||3.5.7|
|<=220.127.116.11||Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files Read more ›||high||CVE-2021-29460||3.5.4|
|<=2.5.13 || 3.0.0 - 3.4.4||Remote code execution (RCE) from PHP Phar archives uploaded by Panel users as content files Read more ›||critical||CVE-2020-26255||2.5.14 3.4.5|
|<=2.5.13 || 3.0.0 - 3.3.5||External Initialization of the Panel on .dev domains and some reverse proxy setups Read more ›||medium||CVE-2020-26253||2.5.14 3.3.6|
Please follow our security guide to keep your Kirby installation secure.
If you have spotted a vulnerability in Kirby's core or the Panel, please make sure to let us know immediately. We take any report very seriously and we will react as soon as possible.
Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed.
By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.