The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29905

CVE-2026-29905: Kirby CMS DoS Vulnerability via Upload

CVE-2026-29905 is a denial of service vulnerability in Kirby CMS through version 5.1.4 that allows authenticated editors to crash the system via malformed image uploads. This article covers technical details, impact, and mitigation.

Published: March 27, 2026

CVE-2026-29905 Overview

CVE-2026-29905 is a Denial of Service (DoS) vulnerability affecting Kirby CMS through version 5.1.4. The vulnerability allows an authenticated user with 'Editor' permissions to cause a persistent denial of service condition by uploading a malformed image file. The application fails to properly validate the return value of the PHP getimagesize() function, which can return false for invalid image files. When the system subsequently attempts to process this malformed file for metadata extraction or thumbnail generation, it triggers a fatal TypeError that crashes the application.

Critical Impact

Authenticated attackers with Editor-level access can persistently disrupt Kirby CMS availability by uploading specially crafted image files that trigger fatal PHP errors during processing.

Affected Products

  • Kirby CMS versions through 5.1.4

Discovery Timeline

  • 2026-03-26 - CVE-2026-29905 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-29905

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in Kirby CMS's image handling functionality. When a user with Editor permissions uploads an image file, the application uses PHP's getimagesize() function to extract image dimensions and metadata. The getimagesize() function returns an array containing image properties on success, but returns false when the file is not a valid image or cannot be processed.

The vulnerable code path does not properly check for the false return value before attempting to use the result as an array. When a malformed image file is uploaded, the subsequent array access operations on the boolean false value trigger a PHP TypeError. This error is fatal and causes the application to crash, resulting in a denial of service condition.

The impact is persistent because the malformed file remains on the server and can trigger the error each time the CMS attempts to regenerate thumbnails or access image metadata, effectively making portions of the content management system unusable until the offending file is manually removed.

Root Cause

The root cause is insufficient validation of the return value from PHP's getimagesize() function. The application assumes this function will always return valid image dimension data without implementing proper error handling for cases where the function returns false due to invalid or corrupted image files. This represents a classic improper input validation flaw where user-supplied data (the uploaded file) is not adequately verified before being processed.

Attack Vector

The attack requires network access and low-privilege authentication (Editor role). An attacker must first authenticate to the Kirby CMS panel with at least Editor permissions. They can then upload a specially crafted file with an image extension that is not actually a valid image format, or a corrupted image file that causes getimagesize() to fail.

Once uploaded, the malicious file triggers the vulnerability whenever:

  • The CMS generates thumbnails for the panel or frontend
  • Media metadata is accessed or indexed
  • The file browser renders previews

The vulnerability does not require user interaction beyond the initial upload, and the denial of service persists until administrative intervention removes the malformed file.

Detection Methods for CVE-2026-29905

Indicators of Compromise

  • PHP fatal error logs showing TypeError exceptions related to image processing or getimagesize() function calls
  • Uploaded files in Kirby's content folders with image extensions but invalid or corrupted image headers
  • Repeated 500 Internal Server Error responses when accessing pages or panel sections that reference specific media files
  • Web server error logs indicating PHP crashes during thumbnail generation or media metadata retrieval

Detection Strategies

  • Monitor PHP error logs for fatal TypeError exceptions involving array operations on boolean values in image processing contexts
  • Implement file integrity monitoring to detect uploaded files that do not match their declared MIME types
  • Set up alerting for unusual patterns of file uploads from Editor accounts, particularly files that immediately cause processing errors
  • Review access logs for Editor users uploading files followed by application errors

Monitoring Recommendations

  • Configure centralized logging for PHP fatal errors and correlate with user session data to identify potential attack sources
  • Implement real-time monitoring for Kirby CMS panel availability and functionality
  • Track server error rates and set threshold alerts for sudden increases in 500-series HTTP responses
  • Monitor file upload endpoints for suspicious activity patterns from authenticated sessions

How to Mitigate CVE-2026-29905

Immediate Actions Required

  • Upgrade Kirby CMS to version 5.2.0 or later, which contains the security fix for this vulnerability
  • Review and audit recently uploaded media files for any that may have been maliciously crafted
  • Temporarily restrict Editor permissions for untrusted users until the patch is applied
  • Monitor error logs for signs of exploitation attempts or persistent DoS conditions

Patch Information

The Kirby development team has addressed this vulnerability in version 5.2.0. The fix implements proper validation of the getimagesize() return value before attempting to process image metadata. Organizations running affected versions should upgrade to 5.2.0-rc.1 or later as documented in the Kirby 5.2.0 Release Notes.

Additional technical details about the vulnerability may be found in the CVE-2026-29905 PoC repository and the associated documentation.

Workarounds

  • Implement server-side file validation at the web server level to verify image headers before allowing uploads to reach the application
  • Configure PHP error handling to catch TypeError exceptions gracefully instead of causing fatal crashes
  • Limit Editor account access to trusted personnel only until the patch can be applied
  • Consider implementing a Web Application Firewall (WAF) rule to inspect uploaded files for valid image signatures

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechKirby Cms
  • SeverityMEDIUM
  • CVSS Score6.5
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-20
  • Technical References
  • Google Drive Document
  • GitHub CVE-2026-29905 PoC
  • GitHub Kirby Release Notes
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English