Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-whxw-24jc-cwmv | Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header |
Thu, 09 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 09 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kirby is an open-source content management system. Prior to 4.9.4 and from 5.4.4, Kirby sites with no configured user accounts that run on publicly accessible servers behind a reverse proxy setting the Forwarded, X-Client-IP, or X-Real-IP request header could allow remote attackers to install the Panel and create the first admin user because local-IP checks trusted those headers incorrectly. This issue is fixed in versions 4.9.4 and 5.4.4. | |
| Title | Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header | |
| Weaknesses | CWE-454 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T19:23:24.078Z
Reserved: 2026-06-11T16:34:11.635Z
Link: CVE-2026-54003
Updated: 2026-07-09T19:23:19.357Z
No data.
No data.
OpenCVE Enrichment
No data.
Github GHSA