Kirby: User avatar creation, replacement and deletion are not gated...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

Basic Information

ID CVE-2026-42174

Source GitHub_M

Published May 9, 2026 at 03:39

Affected Product

Vendor getkirby

Product kirby

Version < 4.9.0

Affected Versions getkirby kirby < 4.9.0
getkirby kirby >= 5.0.0, < 5.4.0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.",
    "published": "2026-05-09T03:39:06.016Z",
    "modified": "2026-05-09T03:39:06.016Z",
    "type": "cve",
    "title": "Kirby: User avatar creation, replacement and deletion are not gated by user update permissions",
    "source": "GitHub_M",
    "references": "https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2\nhttps://github.com/getkirby/kirby/releases/tag/4.9.0\nhttps://github.com/getkirby/kirby/releases/tag/5.4.0",
    "id": "CVE-2026-42174",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "getkirby kirby < 4.9.0\ngetkirby kirby >= 5.0.0, < 5.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kirby",
    "version": "< 4.9.0",
    "vendor": "getkirby",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kirby: User avatar creation, replacement and deletion are not gated by user update permissions_CVE-2026-42174