CVE-2025-30207

Scores

EPSS

0.000none0.0%

0%20%40%60%80%100%

Percentile: 0.0%

CVSS

2.3low4.0

0246810

CVSS Score: 2.3/10

All CVSS Scores

CVSS 4.0

2.3

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector Breakdown

CVSS (Common Vulnerability Scoring System) vector provides detailed metrics about vulnerability characteristics

CVSS

Attack Vector

Adjacent Network (A)

Describes how the vulnerability is exploited

AV:A

Attack Complexity

Low (L)

Describes the conditions beyond the attacker's control

AC:L

Attack Requirements

Present

AT:P

Privileges Required

None (N)

Describes the level of privileges an attacker must possess

PR:N

User Interaction

None (N)

Captures the requirement for a human user participation

UI:N

Vulnerable System Confidentiality

None (N)

Measures the impact to the confidentiality of information

VC:N

Vulnerable System Integrity

None (N)

Measures the impact to integrity of a successfully exploited vulnerability

VI:N

Vulnerable System Availability

None (N)

Measures the impact to the availability of the impacted component

VA:N

Subsequent System Confidentiality

Low (L)

Measures the impact to the confidentiality of information

SC:L

Subsequent System Integrity

None (N)

Measures the impact to integrity of a successfully exploited vulnerability

SI:N

Subsequent System Availability

None (N)

Measures the impact to the availability of the impacted component

SA:N

Temporal Metrics

Exploit Code Maturity

Not Defined

E:X

Environmental Metrics

Confidentiality Requirement

Not Defined

CR:X

Integrity Requirement

Not Defined

IR:X

Availability Requirement

Not Defined

AR:X

Modified Attack Vector

Not Defined

Describes how the vulnerability is exploited

MAV:X

Modified Attack Complexity

Not Defined

Describes the conditions beyond the attacker's control

MAC:X

Modified Attack Requirements

Not Defined

MAT:X

Modified Privileges Required

Not Defined

Describes the level of privileges an attacker must possess

MPR:X

Modified User Interaction

Not Defined

Captures the requirement for a human user participation

MUI:X

Modified Vulnerable System Confidentiality

Not Defined

Measures the impact to the confidentiality of information

MVC:X

Modified Vulnerable System Integrity

Not Defined

Measures the impact to integrity of a successfully exploited vulnerability

MVI:X

Modified Vulnerable System Availability

Not Defined

Measures the impact to the availability of the impacted component

MVA:X

Modified Subsequent System Confidentiality

Not Defined

Measures the impact to the confidentiality of information

MSC:X

Modified Subsequent System Integrity

Not Defined

Measures the impact to integrity of a successfully exploited vulnerability

MSI:X

Modified Subsequent System Availability

Not Defined

Measures the impact to the availability of the impacted component

MSA:X

CVSS 3.x

7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP’s built-in server. Such setups are commonly only used during local development. Sites that use other server software (such as Apache, nginx or Caddy) are not affected. A missing path traversal check allowed attackers to navigate all files on the server that were accessible to the PHP process, including files outside of the Kirby installation. The vulnerable implementation delegated all existing files to PHP, including existing files outside of the document root. This leads to a different response that allows attackers to determine whether the requested file exists. Because Kirby’s router only delegates such requests to PHP and does not load or execute them, contents of the files were not exposed as PHP treats requests to files outside of the document root as invalid. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have updated the router to check if existing static files are within the document root. Requests to files outside the document root are treated as page requests of the error page and will no longer allow to determine whether the file exists or not.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.

Learn more about Scaner-VS 7

Sources

anchore_overridesnvd

CWEs

CWE-22

Vulnerable Software (2)

Type: Configuration

Operating System:

Trait:

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:php:*:*",          "versionEndExcluding": "3.9.8.3"        },        {          "cp...

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:php:*:*",          "versionEndExcluding": "3.9.8.3"        },        {          "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:php:*:*",          "versionEndExcluding": "3.10.1.2",          "versionStartIncluding": "3.10.0"        },        {          "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:php:*:*",          "versionEndExcluding": "4.7.1",          "versionStartIncluding": "4.0.0"        }      ],      "negate": false,      "operator": "OR"    },    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:getkirby:panel:*:*:*:*:*:php:*:*",          "versionEndExcluding": "3.9.8.3"        },        {          "cpe23uri": "cpe:2.3:a:getkirby:panel:*:*:*:*:*:php:*:*",          "versionEndExcluding": "3.10.1.2",          "versionStartIncluding": "3.10.0"        },        {          "cpe23uri": "cpe:2.3:a:getkirby:panel:*:*:*:*:*:php:*:*",          "versionEndExcluding": "4.7.1",          "versionStartIncluding": "4.0.0"        }      ],      "negate": false,      "operator": "OR"    }  ],  "operator": "OR"}

Source: anchore_overrides

Type: Configuration

Vendor: getkirby

Product: kirby

Operating System: * * *

Trait:

{  "cpe_match": [    {      "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",      "versionEndExcluding": "3.9.8.3",      "vulnerable": true    },    {      "cpe23uri": "cpe:2.3:a:getkir...

{  "cpe_match": [    {      "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",      "versionEndExcluding": "3.9.8.3",      "vulnerable": true    },    {      "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",      "versionEndExcluding": "3.10.1.2",      "versionStartIncluding": "3.10.0",      "vulnerable": true    },    {      "cpe23uri": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*",      "versionEndExcluding": "4.7.1",      "versionStartIncluding": "4.0.0",      "vulnerable": true    }  ],  "operator": "OR"}

Source: nvd

CVE-2025-30207

Scores

EPSS

CVSS

All CVSS Scores

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

Vulnerable System Confidentiality

Vulnerable System Integrity

Vulnerable System Availability

Subsequent System Confidentiality

Subsequent System Integrity

Subsequent System Availability

Temporal Metrics

Exploit Code Maturity

Environmental Metrics

Confidentiality Requirement

Integrity Requirement

Availability Requirement

Modified Attack Vector

Modified Attack Complexity

Modified Attack Requirements

Modified Privileges Required

Modified User Interaction

Modified Vulnerable System Confidentiality

Modified Vulnerable System Integrity

Modified Vulnerable System Availability

Modified Subsequent System Confidentiality

Modified Subsequent System Integrity

Modified Subsequent System Availability

Vector Breakdown

CVSS

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Description

Scaner-VS 7 — a modern vulnerability management solution

Sources

CWEs

Vulnerable Software (2)