Remote Code Execution Vulnerability in Kirby CMS by GetKirby
CVE-2026-54003

9.1CRITICAL

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-54003?

Kirby, an open-source content management system, is vulnerable to remote code execution when no user accounts are configured on publicly accessible servers with misconfigured reverse proxies. Attackers can exploit this flaw by improperly sending headers such as Forwarded, X-Client-IP, or X-Real-IP, enabling them to install the Panel and create the first admin user. This vulnerability has been addressed in Kirby CMS versions 4.9.4 and 5.4.4.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.