CVE-2026-44177: Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup

May 26, 2026

In affected releases, Kirby did not correctly validate the provided user ID, causing a path traversal vulnerability. This vulnerability results in the following impact:

Arbitrary PHP file inclusion of files with the filename index.php (e.g. the main PHP files of plugins), the impact of which depends on the contents and logic inside the includable files.
Probing of the existence of arbitrary directories on the server, which can allow attackers to fingerprint the server and site setup, including installed plugins and the content structure.

References

github.com/advisories/GHSA-9hx7-c53c-v6x8
github.com/getkirby/kirby/releases/tag/5.4.1
github.com/getkirby/kirby/security/advisories/GHSA-9hx7-c53c-v6x8
nvd.nist.gov/vuln/detail/CVE-2026-44177

Code Behaviors & Features

Detect and mitigate CVE-2026-44177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →