You can find up-to-date information on the security status of each version on https://getkirby.com/security.
We have a detailed security guide with information on how to keep your Kirby installation secure.
If you have spotted a vulnerability in Kirby's core or the Panel, please make sure to let us know immediately. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
You can always contact us directly at security@getkirby.com.
If you want to encrypt your message, our GPG key is 6E6B 057A F491 FFAD 363F 6F49 9101 10FA A459 E120.
You can also use the security advisory form on GitHub to securely and privately report a vulnerability to us.
We will send you a response as soon as possible and will keep you informed on our progress towards a fix and announcement.
Important
Please do not write to us publicly, e.g. in the forum, on Discord or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed.
By letting us know directly and coordinating the disclosure with us, you can help to protect other Kirby users from such attacks.
Also please do not request a CVE ID from organizations like MITRE. The responsible CVE Numbering Authority (CNA) for Kirby is GitHub. We can and will request a CVE ID for each confirmed vulnerability and will provide it to you in advance of the coordinated release.