CVE-2026-45368
getkirby · kirby
Kirby CMS is susceptible to a Cross-site Scripting (XSS) vulnerability that allows authenticated users to execute malicious scripts in the context of a victim session.
Executive summary
A Cross-site Scripting vulnerability in Kirby CMS could allow an authenticated attacker to execute arbitrary scripts, potentially leading to session hijacking or unauthorized administrative actions.
Vulnerability
The application is affected by an Improper Neutralization of Input during web page generation (CWE-79). An authenticated attacker with low privileges can inject malicious scripts that execute in the browser of other users, including administrators.
Business impact
Successful exploitation of this XSS vulnerability can result in the compromise of user accounts, theft of session cookies, and unauthorized modification of website content. With a CVSS score of 8.4, this vulnerability poses a high risk to the security of the CMS and the data managed within it.
Remediation
Immediate Action: Update the Kirby CMS installation to version 4.9.1 or 5.4.1 to mitigate this vulnerability.
Proactive Monitoring: Review web server logs for unusual patterns in requests that might indicate attempts to inject script tags into input fields.
Compensating Controls: Deploy a Content Security Policy (CSP) to restrict the sources from which scripts can be loaded and executed, thereby reducing the impact of successful XSS attacks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The high CVSS score reflects the significant impact an XSS attack can have on a content management system. Administrators should apply the provided updates as soon as possible to ensure the security of their platform and user sessions.