{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigyzuw7kh5fgtefoez5v2vw6c4hyscfe4xwph75rnzbqayegggwmy",
    "uri": "at://did:plc:uycvbmlz3vrjjgtyjzs4qtgh/app.bsky.feed.post/3mbvvxolrkaf2"
  },
  "path": "/getkirby/kirby/releases/tag/5.2.2",
  "publishedAt": "2026-04-17T12:02:15.469Z",
  "site": "https://github.com",
  "tags": [
    "Missing permission checks in the content changes API",
    "CVE-2026-21896",
    "7806",
    "7802",
    "7799",
    "7830",
    "7662",
    "7807"
  ],
  "textContent": "Caution\n\n## 🚨 Security\n\n### Missing permission checks in the content changes API\n\n**CVE ID:** CVE-2026-21896\n**Severity:** medium (CVSS score 5.8)\n\nThis vulnerability affects all Kirby sites (Kirby 5.0.0-5.2.1) where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the `update` permission with the intent to prevent modifications to site content.\n\nIf you haven't configured any user permissions that deviate from the default of allowing all actions, your site is _not_ affected.\n\n## 🐛 Bug fixes\n\n  * Prevent error when calling `Remote::json()` with single-value JSON content (e.g. a single string, single int) #7806\n  * Fixed `Kirby\\Toolkit\\Dom` for newer libxml versions #7802\n  * Writer field: fixed inline toolbar position on views without Panel menu #7799\n  * `$collection->group(callable)` should accept empty string result as key #7830\n  * Fixed filename field bug in upload dialog #7662\n\n\n\n## ♻️ Refactored\n\n  * Reset `$_SERVER` manipulation in tests #7807\n\n",
  "title": "5.2.2",
  "updatedAt": "2026-01-08T13:24:09.000Z"
}