XML Processing Vulnerability in Kirby CMS by GetKirby
CVE-2026-32870

6.9MEDIUM

Key Information:

Vendor

Getkirby

Status
Kirby
Vendor
CVE Published:
24 April 2026

What is CVE-2026-32870?

The Kirby CMS contains a vulnerability in its handling of XML data through the Xml::value() method, primarily affecting versions before 4.9.0 and 5.4.0. This vulnerability arises when valid CDATA blocks alongside external structured data are improperly processed, allowing unauthorized data to bypass security measures. Sites or plugins using these methods to generate XML could potentially manipulate output that is later interpreted by other systems, leading to unintended behaviors. Kirby has since addressed this issue in the latest releases by implementing stricter checks to ensure that only valid CDATA is processed, thus preventing the passage of extraneous data.

Affected Version(s)

kirby < 4.9.0 < 4.9.0

kirby >= 5.0.0, < 5.4.0 < 5.0.0, 5.4.0

References

https://github.com/getkirby/kirby/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/getkirby/kirby/releases/tag/4.9.0
x_refsource_MISC
https://github.com/getkirby/kirby/releases/tag/5.4.0
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.