Skip to content


Choose a tag to compare
@bastianallgeier bastianallgeier released this 01 Dec 12:05

Security release

We've been contacted by the security researcher Thore Imhof of Accenture with a vulnerability report that affects file uploads in Kirby's Panel.

An editor with full access to the Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a phar file. Visitors without Panel access cannot use this attack vector.

We've received this report yesterday and this release will prevent the attack.

We recommend to upgrade your sites to Kirby 3.4.5.

This security release does not introduce any features or other fixes.