5.2.2

Caution

🚨 Security

Missing permission checks in the content changes API

CVE ID: CVE-2026-21896 Severity: medium (CVSS score 5.8)

This vulnerability affects all Kirby sites (Kirby 5.0.0-5.2.1) where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content.

If you haven't configured any user permissions that deviate from the default of allowing all actions, your site is not affected.

🐛 Bug fixes

• Prevent error when calling Remote::json() with single-value JSON content (e.g. a single string, single int) #7806
• Fixed Kirby\Toolkit\Dom for newer libxml versions #7802
• Writer field: fixed inline toolbar position on views without Panel menu #7799
• $collection->group(callable) should accept empty string result as key #7830
• Fixed filename field bug in upload dialog #7662

♻️ Refactored

• Reset $_SERVER manipulation in tests #7807