CVE-2026-42174 | THREATINT

Description

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 4.9.0

affected

>= 5.0.0, < 5.4.0

affected

References

github.com/.../kirby/security/advisories/GHSA-39cp-6679-8xv2

github.com/getkirby/kirby/releases/tag/4.9.0

github.com/getkirby/kirby/releases/tag/5.4.0

cve.org (CVE-2026-42174)

nvd.nist.gov (CVE-2026-42174)

Download JSON