{ "latest": "5.3.3", "versions": { "5.3.3": { "status": "latest", "description": "Latest Kirby release" }, ">=5.2.2": { "status": "no-vulnerabilities", "description": "No known vulnerabilities" }, "5.*": { "status": "active-support", "description": "Actively supported", "latest": "5.3.3", "initialRelease": "2025-06-24", "endOfActiveSupport": null, "endOfLife": "2028-06-24" }, "4.*": { "status": "security-support", "description": "Security support until November 28, 2026", "latest": "4.8.0", "initialRelease": "2023-11-28", "endOfActiveSupport": "2025-06-24", "endOfLife": "2026-11-28" }, "3.10.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 1, 2025", "latest": "3.10.1.2", "initialRelease": "2023-12-19", "endOfActiveSupport": "2023-12-19", "endOfLife": "2025-12-01" }, "3.9.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 1, 2025", "latest": "3.10.1.2", "initialRelease": "2023-01-17", "endOfActiveSupport": "2023-11-28", "endOfLife": "2025-12-01" }, "3.8.*": { "status": "end-of-life", "description": "Not supported (end of life) since December 2, 2024", "latest": "3.10.1.2", "initialRelease": "2022-10-06", "endOfActiveSupport": "2023-01-17", "endOfLife": "2024-12-02" }, "3.7.*": { "status": "end-of-life", "description": "Not supported (end of life) since June 27, 2024", "latest": "3.10.1.2", "initialRelease": "2022-06-27", "endOfActiveSupport": "2022-10-06", "endOfLife": "2024-06-27" }, "3.6.*": { "status": "end-of-life", "description": "Not supported (end of life) since June 27, 2024", "latest": "3.10.1.2", "initialRelease": "2021-11-16", "endOfActiveSupport": "2022-06-27", "endOfLife": "2024-06-27" }, "3.5.*": { "status": "end-of-life", "description": "Not supported (end of life) since November 16, 2023", "latest": "3.10.1.2", "initialRelease": "2020-12-15", "endOfActiveSupport": "2021-11-16", "endOfLife": "2023-11-16" }, "3.* <3.5": { "status": "end-of-life", "description": "Not supported (end of life) since November 16, 2021", "latest": "3.10.1.2", "initialRelease": "2019-02-05", "endOfActiveSupport": "2020-12-15", "endOfLife": "2021-11-16" }, "2.*": { "status": "end-of-life", "description": "Not supported (end of life) since January 1, 2021", "latest": "2.5.14", "initialRelease": "2014-10-07", "endOfActiveSupport": "2019-02-05", "endOfLife": "2021-01-01" }, "1.*": { "status": "end-of-life", "description": "Not supported (end of life) since February 1, 2016", "latest": "1.1.2", "initialRelease": "2012-01-09", "endOfActiveSupport": "2014-10-07", "endOfLife": "2016-02-01" } }, "urls": { "3.0.0 || 3.5.0 || 3.6.0 || 3.7.0 || 3.8.0 || 3.9.0 || 4.0.0 || 5.0.0": { "changes": "https://getkirby.com/releases/{{ version }}", "download": "https://github.com/getkirby/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, ">=3.0.0": { "changes": "https://github.com/getkirby/kirby/releases/tag/{{ version }}", "download": "https://github.com/getkirby/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, "2.*": { "changes": "https://github.com/getkirby-v2/kirby/releases/tag/{{ version }}", "download": "https://github.com/getkirby-v2/kirby/archive/refs/tags/{{ version }}.zip", "upgrade": "https://getkirby.com/releases/5" }, "1.*": { "changes": "https://github.com/getkirby-v1/starterkit/releases/tag/{{ version }}", "upgrade": "https://getkirby.com/releases/5" } }, "php": { "8.0": "2023-11-26", "8.1": "2025-12-31", "8.2": "2026-12-31", "8.3": "2027-12-31", "8.4": "2028-12-31", "8.5": "2029-12-31" }, "incidents": [ { "affected": "5.0.0 - 5.2.1", "fixed": "5.2.2", "description": "Missing permission checks in the content changes API", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f", "severity": "medium", "score": 5.8, "cve": "CVE-2026-21896", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "affected": "5.0.0 - 5.1.3", "fixed": "5.1.4", "description": "Cross-site scripting (XSS) in the changes dialog", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j", "severity": "medium", "score": 5.1, "cve": "CVE-2025-65012", "cvss": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal of collection names during file system lookup", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h", "severity": "medium", "score": 6.3, "cve": "CVE-2025-31493", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal in the router for PHP's built-in server", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-9p3p-w5jf-8xxg", "severity": "low", "score": 2.3, "cve": "CVE-2025-30207", "cvss": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "affected": "<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0", "fixed": "3.9.8.3, 3.10.1.2, 4.7.1", "description": "Path traversal of snippet names during file system lookup", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-fw82-87p8-v6hp", "severity": "medium", "score": 6.3, "cve": "CVE-2025-30159", "cvss": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "affected": "<=3.6.6.5 || 3.7.0 - 3.7.5.4 || 3.8.0 - 3.8.4.3 || 3.9.0 - 3.9.8.1 || 3.10.0 - 3.10.1 || 4.0.0 - 4.3.0", "fixed": "3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, 4.3.1", "description": "Insufficient permission checks in the language settings", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-jm9m-rqr3-wfmh", "severity": "high", "score": 8.1, "cve": "CVE-2024-41964", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" }, { "affected": "4.0.0 - 4.1.0", "fixed": "4.1.1", "description": "Cross-site scripting (XSS) in the link field \"Custom\" type", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-63h4-w25c-3qv4", "severity": "medium", "score": 4.6, "cve": "CVE-2024-27087", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "affected": "<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0", "fixed": "3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1", "description": "Unrestricted file upload of user avatar images", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43", "severity": "medium", "score": 4.6, "cve": "CVE-2024-26483", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "affected": "<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0", "fixed": "3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1", "description": "Self cross-site scripting (self-XSS) in the URL field", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-57f2-8p89-66x6", "severity": "medium", "score": 4.2, "cve": "CVE-2024-26481", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "affected": "<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5", "fixed": "3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6", "description": "Denial of service from unlimited password lengths", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-3v6j-v3qc-cxff", "severity": "medium", "score": 5.3, "cve": "CVE-2023-38492", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "affected": "<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5", "fixed": "3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6", "description": "Cross-site scripting (XSS) from MIME type auto-detection of uploaded files", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-8fv7-wq38-f5c9", "severity": "medium", "score": 5.7, "cve": "CVE-2023-38491", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "affected": "<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5", "fixed": "3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6", "description": "XML External Entity (XXE) vulnerability in the XML data handler", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-q386-w6fg-gmgp", "severity": "medium", "score": 6.8, "cve": "CVE-2023-38490", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "affected": "<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5", "fixed": "3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6", "description": "Insufficient Session Expiration after a password change", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45", "severity": "high", "score": 7.3, "cve": "CVE-2023-38489", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N" }, { "affected": "<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5", "fixed": "3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6", "description": "Field injection in the KirbyData text storage handler", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-x5mr-p6v4-wp93", "severity": "high", "score": 7.1, "cve": "CVE-2023-38488", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" }, { "affected": "<=3.5.8.1 || 3.6.0 - 3.6.6.1 || 3.7.0 - 3.7.5 || 3.8.0", "fixed": "3.5.8.2, 3.6.6.2, 3.7.5.1, 3.8.1", "description": "User enumeration in the brute force protection", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f", "severity": "medium", "score": 6.5, "cve": "CVE-2022-39315", "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "affected": "3.5.0 - 3.5.8.1 || 3.6.0 - 3.6.6.1 || 3.7.0 - 3.7.5 || 3.8.0", "fixed": "3.5.8.2, 3.6.6.2, 3.7.5.1, 3.8.1", "description": "User enumeration in the code-based login and password reset forms", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8", "severity": "medium", "score": 4.8, "cve": "CVE-2022-39314", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "affected": "<=3.5.8", "fixed": "3.5.8.1", "description": "Cross-site scripting (XSS) from dynamic options in the multiselect field", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-3f89-869f-5w76", "severity": "medium", "score": 5.9, "cve": "CVE-2022-36037", "cvss": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "affected": "3.5.7 - 3.5.8 || 3.6.0 - 3.6.6 || 3.7.0 - 3.7.3", "fixed": "3.5.8.1, 3.6.6.1, 3.7.4", "description": "Cross-site scripting (XSS) from content entered in the tags and multiselect fields", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-rv3r-vqjj-8c76", "severity": "high", "score": 7.1, "cve": "CVE-2022-35174", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "affected": "3.5.0 - 3.5.7.1", "fixed": "3.5.8", "description": "Cross-site scripting (XSS) from image block content in the site frontend", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-cq58-r77c-5jjw", "severity": "medium", "score": 5.4, "cve": "CVE-2021-41258", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "affected": "3.5.0 - 3.5.7.1", "fixed": "3.5.8", "description": "Cross-site scripting (XSS) from writer field content in the site frontend", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q", "severity": "medium", "score": 5.4, "cve": "CVE-2021-41252", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "affected": "<=3.5.6", "fixed": "3.5.7", "description": "Cross-site scripting (XSS) from field and configuration text displayed in the Panel", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm", "severity": "high", "score": 7.1, "cve": "CVE-2021-32735", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" }, { "affected": "<=3.5.3.1", "fixed": "3.5.4", "description": "Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-qgp4-5qx6-548g", "severity": "high", "score": 7.6, "cve": "CVE-2021-29460", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "affected": "<=2.5.13 || 3.0.0 - 3.4.4", "fixed": "2.5.14, 3.4.5", "description": "Remote code execution (RCE) from PHP Phar archives uploaded by Panel users as content files", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-g3h8-cg9x-47qw", "severity": "critical", "score": 10, "cve": "CVE-2020-26255", "cvss": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "affected": "<=2.5.13 || 3.0.0 - 3.3.5", "fixed": "2.5.14, 3.3.6", "description": "External Initialization of the Panel on .dev domains and some reverse proxy setups", "link": "https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv", "severity": "medium", "score": 6.5, "cve": "CVE-2020-26253", "cvss": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N" } ], "messages": [] }