CVE-2026-49276
Received Received - Intake

Stored XSS in Kirby CMS via Writer Field Link Target

Vulnerability report for CVE-2026-49276, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, making the target clickable by the user who entered it and enabling self cross-site scripting in the Panel. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.4 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.4 (exc)
getkirby kirby to 5.4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49276 is a self cross-site scripting (self-XSS) vulnerability in Kirby CMS versions 4.9.3 and below, as well as 5.0.0 to 5.4.3. It occurs in the writer field of Kirby's Panel, where users can input formatted text including links.

The vulnerability allows an attacker to insert JavaScript URLs as link targets, which execute when clicked by the user who entered them. This requires social engineering to trick a user with Panel access into clicking the malicious link before saving content.

While the attack is limited to self-XSS in default configurations, it could escalate privileges if an admin user is compromised. Additionally, Panel plugins using the <k-writer> component without proper HTML sanitization may also be vulnerable to stored XSS.

The issue is fixed in Kirby versions 4.9.4 and 5.4.4 by adding validation to block dangerous URL schemes.

Compliance Impact

The vulnerability is a self cross-site scripting (self-XSS) issue in the Kirby CMS Panel that allows users to insert scripting links which execute when clicked by the same user. This type of vulnerability can lead to unauthorized script execution and potential privilege escalation if an admin user is compromised.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities like self-XSS can impact compliance by exposing systems to risks of unauthorized access or data manipulation, which may violate data protection and security requirements mandated by these regulations.

Therefore, organizations using affected versions of Kirby CMS should apply the security patches (versions 4.9.4 and 5.4.4) to mitigate these risks and help maintain compliance with common security standards.

Impact Analysis

This vulnerability can impact users by allowing execution of malicious JavaScript code when a user clicks a crafted link in the Kirby Panel's writer field.

Since the attack requires user interaction and social engineering, it primarily affects the user who entered the malicious link, potentially leading to self-XSS.

However, if an administrator is tricked into clicking such a link, it could lead to privilege escalation and compromise of the CMS.

Furthermore, plugins that use the vulnerable <k-writer> component without proper sanitization may be exposed to stored cross-site scripting attacks, increasing the risk.

Detection Guidance

This vulnerability involves self cross-site scripting (self-XSS) in the Kirby CMS Panel's writer field, where scripting links can be inserted as link targets. Detection involves inspecting the content entered in the writer field for suspicious JavaScript URLs or scripting links.

Since the vulnerability is triggered by user interaction within the Panel and involves crafted links, network detection is limited. However, administrators can audit the content of the writer fields in blueprints or database entries for any links starting with "javascript:" or other suspicious URL schemes.

No specific commands are provided in the resources, but a general approach could include searching the database or content files for occurrences of "javascript:" in link targets or using grep-like commands on the server hosting Kirby CMS.

Mitigation Strategies

The primary mitigation step is to upgrade Kirby CMS to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed by adding validation to block dangerous URL schemes in the writer field.

Until the upgrade can be applied, administrators should educate users with Panel access about the risks of clicking suspicious links and avoid entering or clicking on links with scripting URLs.

Additionally, review and sanitize any Panel plugins using the <k-writer> component to ensure they properly sanitize HTML input to prevent stored XSS.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart