Security announcement

We have been made aware of a security issue affecting Kirby versions 3.5.7 to 3.7.3 using the tags field.

We are currently working on security patches for all affected versions (3.5, 3.6 and 3.7). We plan to release the patches as soon as possible (by mid next week).

Usually we would not talk openly about a security issue that has not yet been patched, however the issue was already made public (e.g. with a YouTube video) by a third party who unfortunately did not notify us about the issue to this date. Because the issue is already public, we decided it is better to openly inform you as well.

Any critical setups where untrusted users can modify a tags field should consider to deactivate all tags fields until the patch is released. This can be done by commenting out the tags field in your site’s blueprints. Please act responsibly, you all know your setups the best and can assess the concrete risk.


Good thing is that there is no way for intruders to discover that website is built on Kirby unless publicly announced.

Although, if I understand you correctly, this security issue is only a problem if some malicious user has access to the panel, and there is a tags field somewhere in the panel?

Yes. Panel and/or a frontend form that creates or modifies content that is also accessible from the Panel.