cvedb.io
CVE-2025-30159
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2025-05-13T15:15:56.167 · Last modified 2026-06-17T09:08:16.147

Summary

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by d

Affected products

getkirby — kirby

Does this affect you?

Add your gear to cvedb and we'll alert you only when getkirby ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.