CVE-2026-29905

MEDIUM

Kirby CMS through 5.1.4 - DoS

Title source: llm

Description

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service (DoS) via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize() function. When the system attempts to process this file for metadata or thumbnail generation, it triggers a fatal TypeError.

References (3)

https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1

https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing

https://github.com/Stalin-143/CVE-2026-29905

View Exploit ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-252

Status published

Products (2)

getkirby/cms 0 - 5.2.0-rc.1Packagist

getkirby/kirby < 5.1.4

Published Mar 26, 2026

Tracked Since Mar 26, 2026