Cross-Site Scripting Vulnerability in Kirby Content Management System
CVE-2026-49276

7.4HIGH

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-49276?

The Kirby Content Management System is susceptible to cross-site scripting vulnerabilities due to improper handling of user input in the writer field. Specifically, prior to versions 4.9.4 and 5.4.4, users could include executable script links in the targets of links or email components in writer mark inputs. This flaw enables self cross-site scripting attacks within the Panel, allowing malicious actors to exploit affected installations with relatively low effort. It is crucial that users upgrade to the latest versions to mitigate this risk.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.