CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49274

unknowncovered by 1 sourcefirst seen 2026-07-09
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page existence and retrieve title field values. This issue is fixed in versions 4.9.4 and 5.4.4.

⚡ Watch CVE-2026-49274

Get an email if CVE-2026-49274 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-49274

CVE.org record

Embed the live status

CVE-2026-49274 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49274 status](https://www.csirts.com/badge/CVE-2026-49274)](https://www.csirts.com/cve/CVE-2026-49274)