Skip to main content

Kirby CMS EUVDEUVD-2026-42671

| CVE-2026-49276 HIGH
Improper Neutralization of Script in Attributes in a Web Page (CWE-83)
2026-06-18 https://github.com/getkirby/kirby GHSA-rhj6-r49h-5932
7.4
CVSS 4.0 · Vendor: https://github.com/getkirby/kirby
Share

Severity by source

Vendor (https://github.com/getkirby/kirby) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable Panel but AC:H and UI:R reflect required content-structure knowledge, social engineering, and a click before save; C/I:H for session compromise, A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/getkirby/kirby).

CVSS VectorVendor: https://github.com/getkirby/kirby

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jul 09, 2026 - 19:43 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 19:43 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 19:42 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 19:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 09, 2026 - 19:22 NVD
7.4 (HIGH)
Source Code Evidence Fetched
Jun 18, 2026 - 15:52 vuln.today
Analysis Generated
Jun 18, 2026 - 15:52 vuln.today

DescriptionCVE.org

TL;DR

This vulnerability affects Kirby sites that use the writer field in any blueprint.

It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.

A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.

In Kirby's default configuration, the vulnerability is limited to self-XSS and *cannot* directly affect other users or visitors of the site. Panel plugins that are directly using the <k-writer> component may also be affected by stored XSS if they don't sanitize the resulting HTML before saving it to the content.

This vulnerability is of high severity for affected sites.

----

Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby's API with the permissions of the victim.

*Self* cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields.

In a *stored* XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Affected components

The writer field allows users to input formatted text, including links to arbitrary URLs and email addresses. Its link and email marks are therefore a target for XSS attacks.

As the vulnerability is in the writer mark components, it also affects all uses of the <k-writer> component in Panel plugins.

Impact

In affected releases, the link and email marks did not prevent XSS payloads from being submitted to the writer field's content data:

  • The link mark allowed users to enter JavaScript URLs using the "custom" URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved.
  • The email mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console.

The vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have added more robust validation against dangerous URL schemes that are entered in the affected writer marks.

AnalysisAI

Cross-site scripting in Kirby CMS's Panel writer field (versions <= 4.9.3 and 5.0.0-alpha.1 through 5.4.3) lets an authenticated user inject a JavaScript-scheme URL into the link or email marks that executes in their own browser session when clicked before the content is saved. In Kirby's default configuration this is limited to self-XSS requiring social engineering, but Panel plugins that embed the <k-writer> component without sanitizing HTML before storage can be escalated to stored XSS affecting other users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Learn target blueprint/content structure
Delivery
Social-engineer Panel editor to insert javascript: link
Exploit
Editor clicks link before save
Execution
Script runs in authenticated Panel session
Persist
Issue Kirby API calls as victim
Impact
Escalate via admin session or store XSS

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Kirby site to use the writer field in a blueprint (or a Panel plugin embedding the <k-writer> component). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a real but constrained risk rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with knowledge of a target site's blueprint structure socially engineers a Panel editor into pasting a crafted link whose target is a javascript: URL into a writer field, then convincing them to click it before saving. When clicked, the script runs in the editor's authenticated Panel session and can issue Kirby API requests with the victim's permissions; if the victim is an admin, this escalates attacker control. …
Remediation Vendor-released patches exist: upgrade to Kirby 5.4.4 (https://github.com/getkirby/kirby/releases/tag/5.4.4) for the 5.x line, or to Kirby 4.9.4 (https://github.com/getkirby/kirby/releases/tag/4.9.4) as a backport for 4.x installs that cannot yet move to 5; the vendor recommends upgrading to Kirby 5 where possible. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Kirby CMS deployments and document versions and custom plugin inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy