SCA: security update for getkirby/cms (GHSA-x275-h9j4-7p4h)

medium Tenable Cloud Security Plugin ID 434754

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2,
and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with
a dynamic collection name (such as a collection name that depends on request or user data). Sites that
only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple
string for the collection name) are *not* affected. A missing path traversal check allowed attackers to
navigate and access all files on the server that were accessible to the PHP process, including files
outside of the collections root or even outside of the Kirby installation. PHP code within such files was
executed. Such attacks first require an attack vector in the site code that is caused by dynamic
collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the
site structure and the server's file system by the attacker, although it can be possible to find
vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause
damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3,
Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have added a
check for the collection path that ensures that the resulting path is contained within the configured
collections root. Collection paths that point outside of the collections root will not be loaded.
(CVE-2025-31493)

See Also

https://github.com/advisories/GHSA-x275-h9j4-7p4h

Plugin Details

Severity: Medium

ID: 434754

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.55

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-31493

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2025

Vulnerability Publication Date: 5/13/2025

Reference Information

CVE: CVE-2025-31493