{"created":1771001613,"minutes":4320,"value":{"latest":"5.3.0","versions":{"5.3.0":{"status":"latest","description":"Latest Kirby release"},">=5.2.2":{"status":"no-vulnerabilities","description":"No known vulnerabilities"},"5.*":{"status":"active-support","description":"Actively supported","latest":"5.3.0","initialRelease":"2025-06-24","endOfActiveSupport":null,"endOfLife":"2028-06-24"},"4.*":{"status":"security-support","description":"Security support until November 28, 2026","latest":"4.8.0","initialRelease":"2023-11-28","endOfActiveSupport":"2025-06-24","endOfLife":"2026-11-28"},"3.10.*":{"status":"end-of-life","description":"Not supported (end of life) since December 1, 2025","latest":"3.10.1.2","initialRelease":"2023-12-19","endOfActiveSupport":"2023-12-19","endOfLife":"2025-12-01"},"3.9.*":{"status":"end-of-life","description":"Not supported (end of life) since December 1, 2025","latest":"3.10.1.2","initialRelease":"2023-01-17","endOfActiveSupport":"2023-11-28","endOfLife":"2025-12-01"},"3.8.*":{"status":"end-of-life","description":"Not supported (end of life) since December 2, 2024","latest":"3.10.1.2","initialRelease":"2022-10-06","endOfActiveSupport":"2023-01-17","endOfLife":"2024-12-02"},"3.7.*":{"status":"end-of-life","description":"Not supported (end of life) since June 27, 2024","latest":"3.10.1.2","initialRelease":"2022-06-27","endOfActiveSupport":"2022-10-06","endOfLife":"2024-06-27"},"3.6.*":{"status":"end-of-life","description":"Not supported (end of life) since June 27, 2024","latest":"3.10.1.2","initialRelease":"2021-11-16","endOfActiveSupport":"2022-06-27","endOfLife":"2024-06-27"},"3.5.*":{"status":"end-of-life","description":"Not supported (end of life) since November 16, 2023","latest":"3.10.1.2","initialRelease":"2020-12-15","endOfActiveSupport":"2021-11-16","endOfLife":"2023-11-16"},"3.* <3.5":{"status":"end-of-life","description":"Not supported (end of life) since November 16, 2021","latest":"3.10.1.2","initialRelease":"2019-02-05","endOfActiveSupport":"2020-12-15","endOfLife":"2021-11-16"},"2.*":{"status":"end-of-life","description":"Not supported (end of life) since January 1, 2021","latest":"2.5.14","initialRelease":"2014-10-07","endOfActiveSupport":"2019-02-05","endOfLife":"2021-01-01"},"1.*":{"status":"end-of-life","description":"Not supported (end of life) since February 1, 2016","latest":"1.1.2","initialRelease":"2012-01-09","endOfActiveSupport":"2014-10-07","endOfLife":"2016-02-01"}},"urls":{"3.0.0 || 3.5.0 || 3.6.0 || 3.7.0 || 3.8.0 || 3.9.0 || 4.0.0 || 5.0.0":{"changes":"https:\/\/getkirby.com\/releases\/{{ version }}","download":"https:\/\/github.com\/getkirby\/kirby\/archive\/refs\/tags\/{{ version }}.zip","upgrade":"https:\/\/getkirby.com\/releases\/5"},">=3.0.0":{"changes":"https:\/\/github.com\/getkirby\/kirby\/releases\/tag\/{{ version }}","download":"https:\/\/github.com\/getkirby\/kirby\/archive\/refs\/tags\/{{ version }}.zip","upgrade":"https:\/\/getkirby.com\/releases\/5"},"2.*":{"changes":"https:\/\/github.com\/getkirby-v2\/kirby\/releases\/tag\/{{ version }}","download":"https:\/\/github.com\/getkirby-v2\/kirby\/archive\/refs\/tags\/{{ version }}.zip","upgrade":"https:\/\/getkirby.com\/releases\/5"},"1.*":{"changes":"https:\/\/github.com\/getkirby-v1\/starterkit\/releases\/tag\/{{ version }}","upgrade":"https:\/\/getkirby.com\/releases\/5"}},"php":{"8.0":"2023-11-26","8.1":"2025-12-31","8.2":"2026-12-31","8.3":"2027-12-31","8.4":"2028-12-31","8.5":"2029-12-31"},"incidents":[{"affected":"5.0.0 - 5.2.1","fixed":"5.2.2","description":"Missing permission checks in the content changes API","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-4j78-4xrm-cr2f","severity":"medium","score":5.8,"cve":"CVE-2026-21896","cvss":"CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:L\/UI:A\/VC:N\/VI:H\/VA:L\/SC:N\/SI:N\/SA:N"},{"affected":"5.0.0 - 5.1.3","fixed":"5.1.4","description":"Cross-site scripting (XSS) in the changes dialog","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-84hf-8gh5-575j","severity":"medium","score":5.1,"cve":"CVE-2025-65012","cvss":"CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:P\/VC:L\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N"},{"affected":"<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0","fixed":"3.9.8.3, 3.10.1.2, 4.7.1","description":"Path traversal of collection names during file system lookup","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-x275-h9j4-7p4h","severity":"medium","score":6.3,"cve":"CVE-2025-31493","cvss":"CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:L\/VI:L\/VA:N\/SC:L\/SI:L\/SA:N"},{"affected":"<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0","fixed":"3.9.8.3, 3.10.1.2, 4.7.1","description":"Path traversal in the router for PHP's built-in server","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-9p3p-w5jf-8xxg","severity":"low","score":2.3,"cve":"CVE-2025-30207","cvss":"CVSS:4.0\/AV:A\/AC:L\/AT:P\/PR:N\/UI:N\/VC:N\/VI:N\/VA:N\/SC:L\/SI:N\/SA:N"},{"affected":"<=3.9.8.2 || 3.10.0 - 3.10.1.1 || 4.0.0 - 4.7.0","fixed":"3.9.8.3, 3.10.1.2, 4.7.1","description":"Path traversal of snippet names during file system lookup","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-fw82-87p8-v6hp","severity":"medium","score":6.3,"cve":"CVE-2025-30159","cvss":"CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:L\/VI:L\/VA:N\/SC:L\/SI:L\/SA:N"},{"affected":"<=3.6.6.5 || 3.7.0 - 3.7.5.4 || 3.8.0 - 3.8.4.3 || 3.9.0 - 3.9.8.1 || 3.10.0 - 3.10.1 || 4.0.0 - 4.3.0","fixed":"3.6.6.6, 3.7.5.5, 3.8.4.4, 3.9.8.2, 3.10.1.1, 4.3.1","description":"Insufficient permission checks in the language settings","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-jm9m-rqr3-wfmh","severity":"high","score":8.1,"cve":"CVE-2024-41964","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:H"},{"affected":"4.0.0 - 4.1.0","fixed":"4.1.1","description":"Cross-site scripting (XSS) in the link field \"Custom\" type","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-63h4-w25c-3qv4","severity":"medium","score":4.6,"cve":"CVE-2024-27087","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:N"},{"affected":"<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0","fixed":"3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1","description":"Unrestricted file upload of user avatar images","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-xrvh-rvc4-5m43","severity":"medium","score":4.6,"cve":"CVE-2024-26483","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:N"},{"affected":"<=3.6.6.4 || 3.7.0 - 3.7.5.3 || 3.8.0 - 3.8.4.2 || 3.9.0 - 3.9.8 || 3.10.0 || 4.0.0 - 4.1.0","fixed":"3.6.6.5, 3.7.5.4, 3.8.4.3, 3.9.8.1, 3.10.0.1, 4.1.1","description":"Self cross-site scripting (self-XSS) in the URL field","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-57f2-8p89-66x6","severity":"medium","score":4.2,"cve":"CVE-2024-26481","cvss":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:L\/I:L\/A:N"},{"affected":"<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5","fixed":"3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6","description":"Denial of service from unlimited password lengths","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-3v6j-v3qc-cxff","severity":"medium","score":5.3,"cve":"CVE-2023-38492","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:L"},{"affected":"<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5","fixed":"3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6","description":"Cross-site scripting (XSS) from MIME type auto-detection of uploaded files","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-8fv7-wq38-f5c9","severity":"medium","score":5.7,"cve":"CVE-2023-38491","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:H\/I:N\/A:N"},{"affected":"<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5","fixed":"3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6","description":"XML External Entity (XXE) vulnerability in the XML data handler","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-q386-w6fg-gmgp","severity":"medium","score":6.8,"cve":"CVE-2023-38490","cvss":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:C\/C:H\/I:N\/A:N"},{"affected":"<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5","fixed":"3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6","description":"Insufficient Session Expiration after a password change","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-5mvj-rvp8-rf45","severity":"high","score":7.3,"cve":"CVE-2023-38489","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:H\/I:H\/A:N"},{"affected":"<=3.5.8.2 || 3.6.0 - 3.6.6.2 || 3.7.0 - 3.7.5.1 || 3.8.0 - 3.8.4 || 3.9.0 - 3.9.5","fixed":"3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, 3.9.6","description":"Field injection in the KirbyData text storage handler","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-x5mr-p6v4-wp93","severity":"high","score":7.1,"cve":"CVE-2023-38488","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:H\/A:L"},{"affected":"<=3.5.8.1 || 3.6.0 - 3.6.6.1 || 3.7.0 - 3.7.5 || 3.8.0","fixed":"3.5.8.2, 3.6.6.2, 3.7.5.1, 3.8.1","description":"User enumeration in the brute force protection","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-c27j-76xg-6x4f","severity":"medium","score":6.5,"cve":"CVE-2022-39315","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N"},{"affected":"3.5.0 - 3.5.8.1 || 3.6.0 - 3.6.6.1 || 3.7.0 - 3.7.5 || 3.8.0","fixed":"3.5.8.2, 3.6.6.2, 3.7.5.1, 3.8.1","description":"User enumeration in the code-based login and password reset forms","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-43qq-qw4x-28f8","severity":"medium","score":4.8,"cve":"CVE-2022-39314","cvss":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N"},{"affected":"<=3.5.8","fixed":"3.5.8.1","description":"Cross-site scripting (XSS) from dynamic options in the multiselect field","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-3f89-869f-5w76","severity":"medium","score":5.9,"cve":"CVE-2022-36037","cvss":"CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:N\/S:U\/C:H\/I:L\/A:N"},{"affected":"3.5.7 - 3.5.8 || 3.6.0 - 3.6.6 || 3.7.0 - 3.7.3","fixed":"3.5.8.1, 3.6.6.1, 3.7.4","description":"Cross-site scripting (XSS) from content entered in the tags and multiselect fields","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-rv3r-vqjj-8c76","severity":"high","score":7.1,"cve":"CVE-2022-35174","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:L\/A:N"},{"affected":"3.5.0 - 3.5.7.1","fixed":"3.5.8","description":"Cross-site scripting (XSS) from image block content in the site frontend","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-cq58-r77c-5jjw","severity":"medium","score":5.4,"cve":"CVE-2021-41258","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N"},{"affected":"3.5.0 - 3.5.7.1","fixed":"3.5.8","description":"Cross-site scripting (XSS) from writer field content in the site frontend","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-x7j7-qp7j-hw3q","severity":"medium","score":5.4,"cve":"CVE-2021-41252","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:L\/A:N"},{"affected":"<=3.5.6","fixed":"3.5.7","description":"Cross-site scripting (XSS) from field and configuration text displayed in the Panel","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-2f2w-349x-vrqm","severity":"high","score":7.1,"cve":"CVE-2021-32735","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:L\/A:N"},{"affected":"<=3.5.3.1","fixed":"3.5.4","description":"Cross-site scripting (XSS) from unvalidated uploaded SVG or XML files","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-qgp4-5qx6-548g","severity":"high","score":7.6,"cve":"CVE-2021-29460","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:L\/A:N"},{"affected":"<=2.5.13 || 3.0.0 - 3.4.4","fixed":"2.5.14, 3.4.5","description":"Remote code execution (RCE) from PHP Phar archives uploaded by Panel users as content files","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-g3h8-cg9x-47qw","severity":"critical","score":10,"cve":"CVE-2020-26255","cvss":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:H\/I:H\/A:H"},{"affected":"<=2.5.13 || 3.0.0 - 3.3.5","fixed":"2.5.14, 3.3.6","description":"External Initialization of the Panel on .dev domains and some reverse proxy setups","link":"https:\/\/github.com\/getkirby\/kirby\/security\/advisories\/GHSA-2ccx-2gf3-8xvv","severity":"medium","score":6.5,"cve":"CVE-2020-26253","cvss":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:H\/A:N"}],"messages":[],"_version":"5.3.0"}}