CVE-2022-39315

Name: CVE-2022-39315
Creator: NVD / NIST
Published: 2022-10-25T17:15:55.887+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 0.58%

Last modified Jun 17, 2026

CVE-2022-39315 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. EPSS estimates a 0.58% chance of exploitation in the next 30 days.

Description

Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. It can only be exploited for targeted attacks because the attack does not scale to brute force. The problem has been patched in Kirby 3.5.8.2, Kirby 3.6.6.2, Kirby 3.7.5.1, and Kirby 3.8.1. In all of the mentioned releases, the maintainers have rewritten the affected code so that the delay is also inserted after the brute force limit is reached.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.58%

43.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Getkirby	Kirby	< 3.5.8.2
Getkirby	Kirby	>= 3.6.0, < 3.6.6.2
Getkirby	Kirby	>= 3.7.0, < 3.7.5.1
Getkirby	Kirby	3.8.0

References

https://github.com/getkirby/kirby/releases/tag/3.5.8.2Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.6.6.2Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.7.5.1Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.8.1Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4fThird Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.5.8.2Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.6.6.2Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.7.5.1Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/releases/tag/3.8.1Release Notes, Third Party Advisory
https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4fThird Party Advisory

Timeline

Published: Oct 25, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39315?

How severe is CVE-2022-39315?

CVE-2022-39315 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.58% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39315?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-39315?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST