CVE-2026-54005: Kirby: `pages.access` permission is not checked in the `site/find` REST API route

In affected releases, Kirby did not check whether the queried pages were accessible to the currently authenticated user.

This can lead to disclosure of sensitive information contained in inaccessible pages, including the confirmation of the existence of individual pages as well as disclosure of sensitive content fields stored in the pages. Linked children, siblings, or files were not affected by this vulnerability as they were already properly filtered by the appropriate pages.list and files.list permissions.

Because the /api/site/find route is read-only, the vulnerability does not allow malicious write access.