Injection Flaw in Kirby Content Management System
CVE-2026-50188
6.9MEDIUM
What is CVE-2026-50188?
Kirby, an open-source content management system, has a vulnerability allowing header injection due to improper handling of untrusted data in outgoing HTTP requests. Specifically, when using the Kirby Http Remote class with methods such as Remote::request(), Remote::get(), and Remote::post() prior to versions 4.9.4 and 5.4.4, newline characters could be included in request header values. This flaw allows an attacker to inject unintended request headers to the remote service, potentially compromising web applications that rely on faulty request handling.
Affected Version(s)
kirby < 4.9.4 < 4.9.4
kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4
