{"api_version":"1","generated_at":"2026-07-17T16:43:26+00:00","cve":"CVE-2026-44174","urls":{"html":"https://cve.report/CVE-2026-44174","api":"https://cve.report/api/cve/CVE-2026-44174.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-44174","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-44174"},"summary":{"title":"Kirby: Arbitrary Method Call via REST API search and collection query endpoints","description":"Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-16 22:17:01","updated_at":"2026-07-16 22:17:01"},"problem_types":["CWE-470","CWE-470 CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"],"metrics":[{"version":"4.0","source":"security-advisories@github.com","type":"Secondary","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"8.7","severity":"HIGH","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"references":[{"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1","name":"https://github.com/getkirby/kirby/releases/tag/5.4.1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp","name":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1","name":"https://github.com/getkirby/kirby/releases/tag/4.9.1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-44174","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44174","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"getkirby","product":"kirby","version":"affected < 4.9.1","platforms":[]},{"source":"CNA","vendor":"getkirby","product":"kirby","version":"affected >= 5.0.0, < 5.4.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"kirby","vendor":"getkirby","versions":[{"status":"affected","version":"< 4.9.1"},{"status":"affected","version":">= 5.0.0, < 5.4.1"}]}],"descriptions":[{"lang":"en","value":"Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1."}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-470","description":"CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T21:13:43.133Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp","tags":["x_refsource_CONFIRM"],"url":"https://github.com/getkirby/kirby/security/advisories/GHSA-86rh-h242-j8xp"},{"name":"https://github.com/getkirby/kirby/releases/tag/4.9.1","tags":["x_refsource_MISC"],"url":"https://github.com/getkirby/kirby/releases/tag/4.9.1"},{"name":"https://github.com/getkirby/kirby/releases/tag/5.4.1","tags":["x_refsource_MISC"],"url":"https://github.com/getkirby/kirby/releases/tag/5.4.1"}],"source":{"advisory":"GHSA-86rh-h242-j8xp","discovery":"UNKNOWN"},"title":"Kirby: Arbitrary Method Call via REST API search and collection query endpoints"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-44174","datePublished":"2026-07-16T21:13:43.133Z","dateReserved":"2026-05-05T14:39:34.923Z","dateUpdated":"2026-07-16T21:13:43.133Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 22:17:01","lastModifiedDate":"2026-07-16 22:17:01","problem_types":["CWE-470","CWE-470 CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"44174","Ordinal":"1","Title":"Kirby: Arbitrary Method Call via REST API search and collection ","CVE":"CVE-2026-44174","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"44174","Ordinal":"1","NoteData":"Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password() (disclosing the password hash) or root() (disclosing the absolute filesystem path on the server) as well as methods that perform impactful actions such as loginPasswordless() (causing a privilege escalation to another user) or delete() (deleting all queried models in one go if the authenticated user has appropriate permissions). This issue has been fixed in versions 4.9.1 and 5.4.1.","Type":"Description","Title":"Kirby: Arbitrary Method Call via REST API search and collection "}]}}}