These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-42174 is a medium-severity authorization issue in Kirby CMS. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement, and deletion were not properly gated by user update permissions. The issue was publicly disclosed on 2026-05-09 and patched in the stated fixed releases.
CVE-2026-42137 is a high-severity authorization flaw in Kirby CMS where `pages.access/list` and `files.access/list` permissions were not consistently enforced in the Panel and REST API. In affected versions before 4.9.0 and 5.4.0, that can expose page and file listing data to users who should not have access.
CVE-2026-42069 is a Kirby CMS access-control issue that allowed read access to site, user, and role information without permission checks. The issue was published on 2026-05-09 and is rated HIGH (CVSS 7.1). According to the official sources, the fix is available in Kirby 4.9.0 and 5.4.0.
CVE-2026-42051 is an information-disclosure issue in Kirby CMS. According to the supplied advisory and NVD record, authenticated users could access system API data that reveals license details and the installed version in versions prior to 4.9.0 and 5.4.0. The issue is patched in those releases. The reported severity is medium, consistent with limited confidentiality impact and no direct integrity or avai [truncated]