CVE-2026-54002
Received Received - Intake

Stored XSS in Kirby CMS via Malicious Markup in Sanitization

Vulnerability report for CVE-2026-54002, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sanitize(), Sane::sanitizeFile(), or file sanitizeContents() with untrusted input allow malicious markup injected as children of an unknown HTML or XML tag to pass through Dom::sanitize() without being correctly sanitized, causing stored cross-site scripting. This issue is fixed in versions 4.9.4 and 5.4.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
getkirby kirby to 4.9.4 (exc)
getkirby kirby From 5.0.0 (inc) to 5.4.4 (exc)
getkirby kirby to 5.4.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54002 is a stored cross-site scripting (XSS) vulnerability in the Kirby content management system. It occurs because the sanitization methods like Dom::sanitize() and related functions fail to properly sanitize child nodes of unknown HTML or XML tags. This allows malicious markup injected as children of these tags to pass through without being cleaned, enabling attackers to store and execute malicious scripts.

The root cause is that the unwrap() method in the sanitization process cloned child nodes instead of moving them, causing some descendants to bypass sanitization. The vulnerability affects writer and list fields and various sanitize methods when processing untrusted input.

This issue was fixed in Kirby versions 4.9.4 and 5.4.4 by changing the unwrap() method to move child nodes directly and properly handle namespaces, ensuring all child elements are sanitized correctly.

Impact Analysis

This vulnerability can allow authenticated users with lower privileges to inject malicious scripts into Kirby sites or plugins that use vulnerable sanitization methods. When this malicious content is rendered in the Panel or frontend, it can execute JavaScript in the context of other users.

The impact includes stored cross-site scripting attacks that can lead to privilege escalation, session hijacking, or performing actions on behalf of higher-privileged users.

Although Kirby's default file upload protections remain unaffected, sites using the vulnerable sanitization paths are at risk and should update to patched versions or re-sanitize existing content to mitigate exploitation.

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) through improper sanitization of HTML/XML content in Kirby CMS sites or plugins using certain fields or sanitization methods. Detection involves identifying if your Kirby CMS installation is running a vulnerable version (below 4.9.4 or 5.4.4) and checking for malicious markup injected as children of unknown HTML or XML tags in stored content.

Since the vulnerability is related to stored content and sanitization functions, detection on the network level is not straightforward. Instead, you should audit your Kirby CMS version and inspect content fields that use writer or list fields or call the vulnerable sanitization methods.

Suggested commands to detect vulnerable versions or potentially malicious content include:

  • Check Kirby CMS version via command line or admin panel to confirm if it is below 4.9.4 or 5.4.4.
  • Search your content database or files for suspicious HTML/XML tags that are unknown or unusual, especially those containing script or event handler attributes.
  • Use grep or similar tools to find occurrences of vulnerable sanitization method calls in your codebase, e.g., `grep -r 'Dom::sanitize' ./`.
  • Manually review or script scanning of content fields that accept user input for embedded malicious markup.
Mitigation Strategies

The primary and immediate mitigation step is to update your Kirby CMS installation to version 4.9.4 or 5.4.4 or later, where the vulnerability has been fixed.

The fix involves changes to the Dom::unwrap() method to ensure proper sanitization of child nodes, preventing malicious markup from bypassing filters.

If you suspect that attackers may have exploited this vulnerability, you should also re-sanitize existing content that might contain malicious markup.

Additionally, review and restrict user permissions to limit who can input content that uses the vulnerable fields or sanitization methods.

Monitor your site for unusual behavior or signs of stored XSS exploitation, such as unexpected script execution in the Panel or frontend.

Compliance Impact

The vulnerability in Kirby CMS allows stored cross-site scripting (XSS) attacks by permitting malicious markup to bypass sanitization. This can lead to unauthorized script execution in the context of authenticated users, potentially exposing sensitive data or enabling privilege escalation.

Such security flaws can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user input to prevent unauthorized access or data breaches.

If exploited, this vulnerability could lead to data leakage or unauthorized actions, thereby violating data protection requirements and increasing the risk of non-compliance with these regulations.

Therefore, organizations using affected Kirby versions should update to patched versions (4.9.4 and 5.4.4) and re-sanitize existing content to mitigate risks and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart