Injection Flaw in Kirby Content Management System
CVE-2026-50188

6.9MEDIUM

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-50188?

Kirby, an open-source content management system, has a vulnerability allowing header injection due to improper handling of untrusted data in outgoing HTTP requests. Specifically, when using the Kirby Http Remote class with methods such as Remote::request(), Remote::get(), and Remote::post() prior to versions 4.9.4 and 5.4.4, newline characters could be included in request header values. This flaw allows an attacker to inject unintended request headers to the remote service, potentially compromising web applications that rely on faulty request handling.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.