CVE-2026-44175
Received Received - Intake

Stored XSS in Kirby CMS

Vulnerability report for CVE-2026-44175, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting (XSS). Kirby's list field stores its formatted content as HTML, and unlike other field types, its HTML special characters cannot be escaped without losing the formatting. Sanitization was only enforced client-side in the Panel, while the server did not sanitize the content on save. As a result, an attacker could bypass the Panel and send malicious HTML directly to Kirby's API, storing unsanitized markup in the content file. That markup would then be rendered on the site frontend and executed in the browsers of site visitors and logged-in users browsing the site, resulting in persistent XSS. This issue has been fixed in versions 4.9.1 and 5.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
getkirby kirby to 5.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in Kirby, an open-source content management system. Versions before 4.9.1 and 5.4.1 did not sanitize the list field content on save, allowing malicious HTML to be stored and executed in browsers of site visitors.

Detection Guidance

Detecting this vulnerability requires checking if your Kirby CMS version is affected. Run the following command to check the installed version: grep -r "version" /path/to/kirby/config/app.php. If the version is below 4.9.1 or 5.4.1, the system is vulnerable.

Impact Analysis

An attacker could exploit this to inject malicious scripts into your website. These scripts could steal user data, session cookies, or perform actions on behalf of users, compromising both visitors and logged-in users.

Compliance Impact

This XSS vulnerability could lead to unauthorized data access or modification, violating GDPR's data protection principles or HIPAA's security requirements for protected health information. Non-compliance risks fines and legal consequences.

Mitigation Strategies

Immediately update Kirby to version 4.9.1 or 5.4.1 or later. If updating is not possible, disable the list field in the Panel or restrict user input to trusted sources. Review stored content for malicious HTML and sanitize it manually.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart