CVE-2026-34587: Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

Kirby provides field types (checkboxes, color, multiselect, select, radio, tags and toggles) that offer a fixed set of options from a configured list. This configured list can be statically defined in the blueprint or it can come from a Kirby query or (external) API source. Options coming from a query or API are treated as dynamic.

Static options can contain queries in the form {{ query }} or {< query >} that are then evaluated to a static value. Because the queries are defined in the blueprint, they can be trusted and cannot be controlled by attackers.

However, dynamic options can often not be trusted. This is why the “options from query” and “options from API” modes are intended to resolve the option values and text strings based on queries not defined within the data source but within the blueprint.

Unfortunately, the results of these trusted queries on untrusted source data are run through the query parser a second time in affected Kirby releases.

Because of the double-resolution of dynamic option values and text strings, attackers could place malicious query templates such as {{ users.first.password }} or {{ page.delete }} in the option sources such as page titles or external API data controlled by the attacker. These queries would then be executed when the field is loaded in the Panel. When the attacker directly accesses the respective Panel view, they could get access to information normally hidden from them. As the malicious query templates are loaded for all users, it could also lead to malicious write access when another user with a higher permission level accesses the manipulated Panel view.