copilot-swe-agent[bot]
8c3b271b98
Agent-Logs-Url: https://github.com/0x5t4l1n/CVE/sessions/fa832b9e-3288-4289-b847-672ac80fb634 Co-authored-by: 0x5t4l1n <161853795+0x5t4l1n@users.noreply.github.com>
1.9 KiB
CVE-2026-29905 — Kirby CMS Persistent DoS via Malformed Image Upload
CVE-2026-29905 has been officially published by MITRE.
Overview
A authenticated user with Editor permissions can upload a malformed file with an image extension to cause a persistent Denial of Service in Kirby CMS.
CVE ID: CVE-2026-29905
Affected Version: Kirby CMS ≤ 5.1.4
Fixed In: Kirby CMS 5.2.0-rc.1
Severity: Medium
CWE: CWE-252 (Unchecked Return Value), CWE-20 (Improper Input Validation)
Description
Kirby processes uploaded image files using PHP's getimagesize() function without validating its return value. When a malformed file is uploaded with a valid image extension (e.g. .jpg), getimagesize() returns false instead of an array. The application then triggers a fatal TypeError during thumbnail generation or metadata processing.
The crash persists across page reloads until the file is manually removed from the filesystem.
Impact
- Any Editor-role user (non-admin) can trigger the DoS condition.
- Affected pages return HTTP 500 until the file is removed manually.
Fix
Patched in Kirby CMS 5.2.0-rc.1.
References
- CVE-2026-29905 on cve.org
- CVE-2026-29905 on NVD
- GHSA-cw7v-45wm-mcf2
- PoC – 0x5t4l1n/CVE-2026-29905
- Kirby CMS 5.2.0-rc.1 Release
- Supporting Document (Google Drive)
Discoverer
Stalin S (@0x5t4l1n)