CVE-2026-54003: Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header

In affected releases, the isLocal check for the installation logic did not properly take the Forwarded: for=... header into account. This header is set by modern reverse proxy servers. It also did not take into account the X-Client-IP or X-Real-IP headers, which are set by some custom reverse proxy setups.

This caused Kirby to falsely assume that an installation request was local and allowed creating an admin account even though the reverse proxy forwarded the request from an external IP address.

Reverse proxies setting the X-Forwarded-For or Client-IP headers were not affected. These headers were already properly checked for external IP addresses.