Cross-Site Scripting Vulnerability in Kirby Content Management System
CVE-2026-49276
7.4HIGH
What is CVE-2026-49276?
The Kirby Content Management System is susceptible to cross-site scripting vulnerabilities due to improper handling of user input in the writer field. Specifically, prior to versions 4.9.4 and 5.4.4, users could include executable script links in the targets of links or email components in writer mark inputs. This flaw enables self cross-site scripting attacks within the Panel, allowing malicious actors to exploit affected installations with relatively low effort. It is crucial that users upgrade to the latest versions to mitigate this risk.
Affected Version(s)
kirby < 4.9.4 < 4.9.4
kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4
