CVE-2026-45368

getkirby · kirby

Kirby CMS is susceptible to a Cross-site Scripting (XSS) vulnerability that allows authenticated users to execute malicious scripts in the context of a victim session.

Executive summary

A Cross-site Scripting vulnerability in Kirby CMS could allow an authenticated attacker to execute arbitrary scripts, potentially leading to session hijacking or unauthorized administrative actions.

Vulnerability

The application is affected by an Improper Neutralization of Input during web page generation (CWE-79). An authenticated attacker with low privileges can inject malicious scripts that execute in the browser of other users, including administrators.

Business impact

Successful exploitation of this XSS vulnerability can result in the compromise of user accounts, theft of session cookies, and unauthorized modification of website content. With a CVSS score of 8.4, this vulnerability poses a high risk to the security of the CMS and the data managed within it.

Remediation

Immediate Action: Update the Kirby CMS installation to version 4.9.1 or 5.4.1 to mitigate this vulnerability.

Proactive Monitoring: Review web server logs for unusual patterns in requests that might indicate attempts to inject script tags into input fields.

Compensating Controls: Deploy a Content Security Policy (CSP) to restrict the sources from which scripts can be loaded and executed, thereby reducing the impact of successful XSS attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The high CVSS score reflects the significant impact an XSS attack can have on a content management system. Administrators should apply the provided updates as soon as possible to ensure the security of their platform and user sessions.