🐛 Bug fixes

• Throw exceptions for UUID cache misses when content.uuid.index = false is set only in debug mode #8150

🚨 Security

• Updated PHP and JS dependencies

🚨 Security

• Updated PHP and JS dependencies

🚨 Security

After our 5.4.1 release yesterday, the symfony/yaml package had a security release today. This is a patched version with the updated yaml dependency.

🚨 Security

After our 4.9.1 release yesterday, the symfony/yaml package had a security release today. This is a patched version with the updated yaml dependency.

Update: After our 5.4.1 release yesterday, the symfony/yaml package had a security release today. There is a patched version with the updated yaml dependency: https://github.com/getkirby/kirby/releases/tag/5.4.2

🚨 Security

Pre-authentication path traversal and PHP file inclusion during user lookup

This vulnerability affects all Kirby sites on Kirby 5.3.0-5.4.0 and is independent from setup conditions and authentication.

This vulnerability is of high severity for all Kirby sites.

• CVE ID: CVE-2026-44177
• Severity: high (CVSS score 8.8)
• Advisory: GHSA-9hx7-c53c-v6x8

Thanks to @offset for responsibly reporting the identified issue.

Arbitrary Method Call via REST API search and collection query endpoints

This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.

This vulnerability is of high severity for affected sites and has a high real-world impact.

• CVE ID: CVE-2026-44174
• Severity: high (CVSS score 8.7)
• Advisory: GHSA-86rh-h242-j8xp

Thanks to @mojamojam for responsibly reporting the identified issue.

Cross-site scripting (XSS) from list field content in the site frontend

This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you don't use the list field (or blocks field with the list block) in any of your blueprints, or if every user who can edit content is fully trusted. The attack only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into list field content.

• CVE ID: CVE-2026-44175
• Severity: high (CVSS score 8.5)
• Advisory: GHSA-5fhx-9q32-q257

Thanks to @offset for responsibly reporting the identified issue.

Cross-site scripting (XSS) from links in KirbyTags, image blocks and imported blocks HTML in the site frontend

This vulnerability affects all Kirby sites that allow the use of the (link: …) KirbyTag, the link: parameter of the (image: …) KirbyTag, the built-in image block with a link or the HTML importer for blocks, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any textarea or blocks field, or write access to content files through another vector (e.g. a frontend form or content sync pipeline). Another attack vector is the use of Html::a() or Html::link() with untrusted user input.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if none of the mentioned KirbyTags or block types are used, or if every user who can edit content is fully trusted. The attack only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into the textarea or blocks field content.

• CVE ID: CVE-2026-45368
• Severity: high (CVSS score 8.4)
• Advisory: GHSA-qvjf-922g-pj44

Thanks to @offset for responsibly reporting the identified issue.

pages.access permission is not checked during rendering of page drafts

This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages (pages.access permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.

Your Kirby sites are not affected if you intend all users of your site to be able to access all page drafts of the site. The vulnerability can only be exploited by authenticated users. Write actions are not affected by this vulnerability.

• CVE ID: CVE-2026-44176
• Severity: moderate (CVSS score 6.0)
• Advisory: GHSA-2xw4-v2wx-hqq9

Thanks to @adrgs for responsibly reporting the identified issue.

Content locks disclose IDs and emails of inaccessible users from users.access/list permissions

This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets users.access: false or users.list: false as permission for the authenticated user role and/or as option for the target user role.

Your Kirby site is not affected if all authenticated Panel users are permitted to access and list other users. The vulnerability can only be exploited by authenticated users.

• CVE ID: CVE-2026-45334
• Severity: moderate (CVSS score 5.3)
• Advisory: GHSA-39vq-49qm-r2mc

Thanks to Matteo Panzeri (@matte1782) for responsibly reporting the identified issue.

✨ Enhancements

• New Kirby\Sane\Sane::sanitizeProseMirrorFields() method which sanitizes the value and converts non-breaking spaces to HTML entity to match ProseMirrors internal handling
• New Kirby\Http\Url::hasDangerousScheme()

🚨 Security fixes

• Validate user ID format and path containment in the accounts directory during user lookup with $users->find()
• Respect page access permissions when accessing/rendering drafts in frontend
• Remove insecure search options (sort and filter) in API routes
• New Kirby\Toolkit\BlockAccessAttribute for model methods that must not be used by filterBy or sortBy in Collections.
• List field values now are sanitized to protect it from XSS attacks
• Fix information disclosure in content lock data: the locking user's email and ID now hidden from users who do not have permission to list that user
• Ensure Kirby\Toolkit\Html::link() and Kirby\Http\Url::isAbsolute() do not allow dangerous schemes
• The blocks HTML importer no longer imports link URLs with dangerous schemes

🐛 Bug fixes

• Fixed using ::filter()/::filterBy() with non-default separators #8062
• Fixed picker dialogs to respect the search: false option #8054
• Fixed multiselect field search (thanks @lauriii) #8067
• Fixed JSON response error showing up on throttled Panel API calls #7351
• Imagick thumb driver: fixed preserving profiles listed in profiles option #8066
• Improve thumbnail generation reliability by writing thumbs #4632
• Panel file view: refresh view after replacing the file #8073
• Prevents ghost duplicate page folders caused by stale concurrent writes after page reordering #7964
• Fixed return type docs for  Collection::first() and Collection::last() to include null for empty collections #8094
• Pagination is now visible in the file-browser dialog #8080
• Fixed chunked uploads using the wrong file blueprint #8086
• Fixed first toggles option in blocks is selectable again #8093
• Time field: Fixed min/max validation message #8128

🚨 Breaking changes

• Html::link() does no longer accept javascript: URLs. This is a dangerous anti-pattern with many better frontend alternatives and leaves too much space for potential attacks.

🧹 Housekeeping

• Upgrade npm dependencies #8060

Update: After our 4.9.1 release yesterday, the symfony/yaml package had a security release today. There is a patched version with the updated yaml dependency: https://github.com/getkirby/kirby/releases/tag/4.9.2

🚨 Security

This is a backport of our security release for Kirby 5. For all details and vulnerabilities see: https://github.com/getkirby/kirby/releases/tag/5.4.1

We recommend all users upgrade to Kirby 5. If an upgrade is not possible, this security release is the alternative solution.

🚨 Security

Server-Side Template Injection (SSTI) via double template resolution in option rendering

This vulnerability affects all Kirby sites that use option fields (checkboxes, color, multiselect, select, radio, tags or toggles) with options from a query or API whose values may not be fully trusted. It also affects direct uses of the OptionsApi or OptionsQuery classes of Kirby's Options package from plugin or site code. The attack requires either an
attacker in the group of authenticated Panel users or user interaction of another authenticated user.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you are not using any of the mentioned fields or the Options package, if all options are defined statically in the blueprints or if all dynamically gathered options are to be trusted.

• CVE ID: CVE-2026-34587
• Severity: high (CVSS score 7.6)
• Advisory: GHSA-jcjw-58rv-c452

Thanks to @offset for responsibly reporting the identified issue.

Page, file and user creation APIs bypass create permission check via unfiltered blueprint parameter

This vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users (pages.create, files.create or users.create permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you intend all users of your site to be able to create pages, files and users. The vulnerability can only be exploited by authenticated users.

• CVE ID: CVE-2026-41325
• Severity: high (CVSS score 7.1)
• Advisory: GHSA-6gqr-mx34-wh8r

Thanks to @offset for responsibly reporting the identified issue.

pages.access/list and files.access/list permissions are not consistently checked in the Panel and REST API

This vulnerability affects all Kirby sites where users of a particular role have no permission to access or list pages or files (pages.access, pages.list, files.access or files.list permission is disabled). This can be due to configuration in the user blueprint(s), via options in the model blueprint(s) or via a combination of both settings.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you intend all users of your site to be able to access all pages and files of the site. The vulnerability can only be exploited by authenticated users.
Write actions are not affected by this vulnerability.

• CVE ID: CVE-2026-42137
• Severity: high (CVSS score 7.1)
• Advisory: GHSA-85x2-r8xv-ww8c

Read access to site, user and role information is not gated by permissions

This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.

This vulnerability is of high severity for affected sites.

Your Kirby sites are not affected if you intend all users of your site to be able to list and access the site model and all users and roles, including the content stored within these models.
Write actions are not affected by this vulnerability as they were gated by permissions before.

• CVE ID: CVE-2026-42069
• Severity: high (CVSS score 7.1)
• Advisory: GHSA-2h7v-4372-f6x2

Thanks to @HuajiHD for responsibly reporting the identified issue.

XML Injection in the XML creator toolkit

This vulnerability only affects Kirby sites that use the Xml data handler (e.g. Data::encode($string, 'xml')) or the Xml::create(), Xml::tag() or Xml::value() method(s) in site or plugin code. The Kirby core does not use any of the affected methods.

If you use an affected method and cannot rule out input to these methods controlled by an attacker, we strongly recommend to update to a patch release.

• CVE ID: CVE-2026-32870
• Severity: medium (CVSS score 6.9)
• Advisory: GHSA-9wfj-c55w-j9qr

Thanks to Patrick Falb (@dapatrese) at FORMER 03 for responsibly reporting the identified issue.

User avatar creation, replacement and deletion are not gated by user update permissions

This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information (user.update or users.update permission is disabled). This can be due to configuration in the blueprint(s) of the acting users, via options in the blueprint(s) of the target users or via a combination of both settings.

Your Kirby sites are not affected if you intend all users of your site to be able to upload, replace or delete user avatars. The vulnerability can only be exploited by authenticated users.

• CVE ID: CVE-2026-42174
• Severity: moderate (CVSS score 5.3)
• Advisory: GHSA-39cp-6679-8xv2

Page creation API bypasses changeStatus permission check via unfiltered isDraft parameter

This vulnerability affects all Kirby sites where users have the permission to create pages (pages.create permission is enabled) but not the permission to change the status of pages (pages.changeStatus permission is disabled). This can be due to configuration in the user blueprint(s), via options in the page blueprint(s) or via a combination of both settings.

Your Kirby sites are not affected if your use case does not consider the creation of published pages a malicious action. The vulnerability can only be exploited by authenticated users.

• CVE ID: CVE-2026-40099
• Severity: moderate (CVSS score 5.3)
• Advisory: GHSA-w942-j9r6-hr6r

Thanks to @offset for responsibly reporting the identified issue.

System API endpoint leaks installed version and license data to authenticated users

This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users.

• CVE ID: CVE-2026-42051
• Severity: moderate (CVSS score 5.3)
• Advisory: GHSA-x68m-c7jf-2572

Thanks to @HuajiHD and @0x-bala for responsibly reporting the identified issue.

✨ Enhancements

• Site permissions
  • New access permission for the site
  • New Kirby\Cms\Site::isAccessible() method checking if the current user has access permission for the site
  • New static Kirby\Cms\Find::site() method returning the site object or throwingKirby\Exception\NotFoundException if the site is not accessible
  • New i18n string error.site.notAccessible added to i18n/translations/en.json
• User permissions
  • New access and list permissions for users and the current user.
  • New Kirby\Cms\User::isAccessible() method checking if the current user has access permission for a given user
  • New Kirby\Cms\User::isListable() method checking if a user is both accessible and has list permission. Inaccessible users are implicitly not listable
  • New static Kirby\Cms\Find::users() method returning only users filtered by isListable()
• Role permissions
  • New Kirby\Cms\Role::isAccessible() method checking if the current user has users.access or user.access permission. If the role is the same role as the user's, the user.access permissions are checked. Otherwise users.access.
  • New static Kirby\Cms\Find::role() and Kirby\Cms\Find::roles() methods returning only roles filtered by isAccessible()
  • Added a new error.role.notFound translation key.
• Avatar permissions
  • New avatar hooks user.createAvatar, user.replaceAvatar, user.deleteAvatar (including :before and :after)
  • New User class methods: User::createAvatar(), User::replaceAvatar(), User::deleteAvatar()
  • New User rules: UserRules::createAvatar(), UserRules::replaceAvatar(), UserRules::deleteAvatar(), UserRules::validAvatar()

🚨 Security fixes

• The GET /system API route now consistently filters the relevant set of information by current system state
• Kirby\Cms\Find::parent() now uses Kirby\Cms\Find::site() instead of $kirby->site() for the site model lookup
• Kirby\Cms\Api::site() now delegates to Kirby\Cms\Find::site() instead of $this->kirby->site()
• config/api/models/System.php the title field now reads directly from $this->kirby()->site() to bypass the site.access permission check, ensuring the title is always available
• The page.move dialog now uses Kirby\Cms\Find::site() in the submit handler, when a page gets moved to the top-level
• Kirby\Cms\Find::user() now enforces isAccessible() on the resolved user, throwing Kirby\Exception\NotFoundException if the user exists but is inaccessible
• API routes (config/api/routes/users.php): all `$this->user()...

🚨 Security

This is a backport of our security release for Kirby 5. For all details and vulnerabilities see: https://github.com/getkirby/kirby/releases/tag/5.4.0

We recommend all users upgrade to Kirby 5. If an upgrade is not possible, this security release is the alternative solution.

🐛 Bug fixes

• Pages section table index resets to 1 on each pagination page #8002
• Added missing return types to Kirby\Cms\Responder #8013
• Disabling PHP's post_max_size no longer causes uploads to fail. #8022
• Fixed the Panel offline warning dialog text in dark mode #8047
• Fixed site view buttons when home preview is false #8046
• Added labels to the blocks field options button and the form controls more button (thanks @FlorianBoe) #8035

🧹 Housekeeping

• Improve test coverage for the Database package #8021
• Updated JS dependencies

🐛 Bug fixes

• Child page content no longer includes parent’s content after using page create dialog #7970
• Url::to() strips content representation extension on multilang sites #7965
• Prevent duplicate draft when using page.create:after hook (Kirby 5.3.x) #7957

🧹 Housekeeping

• Switch to type module #7962
• Upgrade JS and PHP dependencies