Security releases – Kirby, and 3.7.4

Today we release three security updates that fix cross-site scripting (XSS) vulnerabilities in the tags and multiselect fields:

  • Kirby (high severity for Kirby 3.5.7-3.5.8, medium severity for Kirby 3.5.0-3.5.6)
  • Kirby (high severity for Kirby 3.6.0-3.6.6)
  • Kirby 3.7.4 (high severity for Kirby 3.7.0-3.7.3)

You can find out more about the vulnerabilities and fixes in the security advisories that are linked from the respective security updates.

Kirby 3.7.4 also comes with many useful enhancements and fixes and even three smaller features. It is the last scheduled 3.7.x release. We are now actively working towards Kirby 3.8.

1 Like


after I installed the latest kirby version today, I get the following error:

Not Extended

A mandatory extension policy in the request is not accepted by the server for this resource.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request

I do the installation like this:

sudo rm -rfv kirby
git clone
cd "$(dirname "$0")/kirby"
rm -rf .git exit;

what am I doing wrong ?

This seems to be something server related, a quick google search might help. Never seen this, TBH.

I’m now using version 3.6.6 again, the error message doesn’t appear there, the new version and the server probably don’t get along.

Were you trying or 3.7.4? The security update to does not come with any breaking changes.

I used this url: git clone

Please use this to get Kirby

cd kirby
git checkout

i am having difficulty checking out the patches as the tags do not seem to exist, see:

git checkout tags/3.5.8 
HEAD is now at 76f2781 Upgrade to 3.5.8
git checkout tags/
error: pathspec 'tags/' did not match any file(s) known to git


git checkout tags/3.6.6
Previous HEAD position was 76f2781 Upgrade to 3.5.8
HEAD is now at c926bdc Upgrade to 3.6.6

git checkout tags/
error: pathspec 'tags/' did not match any file(s) known to git

A previous β€˜git fetch --all -tags’ does not bring any improvement. Also, GitHub informs that the tag does not belong to any repo.

The tag does exist in the repo, see GitHub - getkirby/kirby at The warning that the tag does not belong to a branch is expected. and are patch releases that were not merged into main because this branch is for 3.7.x.

Have you tried the fetch command with double-dashes (--tags instead of -tags)?


Have you tried the fetch command with double-dashes (--tags instead of -tags )?

yes, but it makes no difference. The tag is not tangible for β€œgit checkout”.

git fetch --all --tags
Fetching origin

git tag -l

The corresponding commits are also not available.

So how can i get the patch via git checkout? Anybody an idea?

What repo have you checked out? The list of tags is not complete.

git clone GitHub - getkirby/plainkit: The most minimal setup of Kirby – perfect for when you already know your way around

Those tags refer to the kirby repo, not the Plain- or Starterkits.

7.4.0 is also available for the Starter- and Plainkits, but for the old versions, there are no separate tags for the kits.