Stored Cross-Site Scripting in Kirby Content Management System
CVE-2026-54002

8.5HIGH

Key Information:

Vendor

Getkirby

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-54002?

The Kirby Content Management System is susceptible to a stored cross-site scripting vulnerability when utilizing certain fields or sanitization functions. Malicious users can exploit this flaw to inject harmful markup through untrusted input, allowing it to bypass normal sanitation checks and potentially execute scripts on user browsers. This issue has been addressed in versions 4.9.4 and 5.4.4, which include improved sanitization measures to protect against these vulnerabilities.

Affected Version(s)

kirby < 4.9.4 < 4.9.4

kirby >= 5.0.0, < 5.4.4 < 5.0.0, 5.4.4

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.