CVE-2026-45368
Received Received - Intake

XSS via Malicious URL in Kirby CMS

Vulnerability report for CVE-2026-45368, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers that produce `<a href="…">`Β output from editor-supplied field values: theΒ (`link: …)` KirbyTag, the `link`: parameter of the `(image: …)`Β KirbyTag when it does not resolve to a known file or `self`, theΒ `link`Β field of the built-in image block, and the HTML importer for the `blocks` field (which accepted the same malicious input as the image block `link` field). While simple `avascript:` URLs were already deactivated by treating them as a relative path and prepending a single slash to the URL, the use of URLs of the format `javascript://x%0A…` bypasses this protection. The `vbscript:`, `data:`, `livescript:`, `mocha:` and `jar:` schemes are affected by the same underlying gap. This issue has been fixed in versions 4.9.1 and 5.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirby kirby to 5.4.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Kirby, an open-source content management system. It allows malicious URLs to execute scripts in four first-party renderers. The issue occurs because URL methods do not filter out malicious values that can trigger script execution. URLs like javascript://x%0A… bypass existing protections. Affected schemes include javascript:, vbscript:, data:, livescript:, mocha:, and jar:.

Detection Guidance

Detecting this vulnerability requires checking if your Kirby CMS version is prior to 4.9.1 or 5.4.1. Use commands like 'composer show kirby/kirby' or check the version in the Kirby admin panel. Inspect HTML output for malicious URL patterns like 'javascript://x%0A…' or other dangerous schemes.

Impact Analysis

An attacker could exploit this to run malicious scripts in your Kirby CMS environment. This could lead to unauthorized actions, data theft, or defacement of your website. Users with editor access could potentially inject harmful scripts via editor-supplied field values.

Mitigation Strategies

Upgrade Kirby to version 4.9.1 or 5.4.1 or later immediately. If upgrading is not possible, apply input validation to block malicious URL schemes such as 'javascript:', 'vbscript:', 'data:', 'livescript:', 'mocha:', and 'jar:' in user-supplied content.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart