CVE-2026-42137 - Kirby: `pages.access/list` and `files.access/list` permissions are not consistently checked in the REST API and changes dialog
CVE ID :CVE-2026-42137
Published : May 9, 2026, 4:16 a.m. | 5 hours, 1 minute ago
Description :Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : May 9, 2026, 4:16 a.m. | 5 hours, 1 minute ago
Description :Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...