CVE-2026-29905 - Vulnerability Details

Description

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError.

Published: 2026-03-26

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kirby CMS versions up to 5.1.4 are affected by a flaw that allows an authenticated user with Editor rights to trigger a persistent Denial of Service by uploading a specially crafted image. The vulnerability occurs because the application does not validate the return value of PHP’s getimagesize() function; when the image is processed for metadata or thumbnail creation, a fatal TypeError is raised, halting the request and potentially bringing the entire site offline.

Affected Systems

All installations of Kirby CMS 5.1.4 and earlier run this vulnerability. The issue is fixed in release 5.2.0-rc.1, so any system running that version or later is not susceptible to the weakness described.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, but the EPSS indicates an extremely low exploitation probability (<1%). The vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated Editor user with permission to upload images; an attacker with this privilege can repeatedly trigger a crash, leading to prolonged downtime. Because the exploit is limited to internal authenticated users, external attackers cannot directly use it unless they gain account credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Getkirby

Kirby

75%

Version	Status	Scheme	Platform
`[0,5.1.4]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kirby CMS to version 5.2.0-rc.1 or newer.
Ensure that only trusted users are granted Editor or higher permissions.
Monitor server logs for repeated TypeError entries and application crashes.
If upgrading is not immediately possible, temporarily disable image upload functionality or restrict it to trusted IP ranges.
Apply a custom PHP check to validate getimagesize() return values before proceeding with thumbnail or metadata generation.

Generated by OpenCVE AI on April 2, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cw7v-45wm-mcf2	Kirby CMS has Persistent DoS via Malformed Image Upload

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing
https://github.com/Stalin-143/CVE-2026-29905
https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Title	Persistent Denial of Service via Malformed Image Upload in Kirby CMS

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:getkirby:kirby::::::::

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Title		Persistent Denial of Service via Malformed Image Upload in Kirby CMS

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getkirby Getkirby kirby
Vendors & Products		Getkirby Getkirby kirby

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-252
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError.
References		https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing https://github.com/Stalin-143/CVE-2026-29905 https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1

Subscriptions

Getkirby Kirby

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-26T00:00:00.000Z

Updated: 2026-03-26T18:31:41.421Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-29905

Vulnrichment

Updated: 2026-03-26T18:28:53.512Z

NVD

Status : Analyzed

Published: 2026-03-26T17:16:34.660

Modified: 2026-04-02T17:28:02.250

Link: CVE-2026-29905

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:39:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object