CVE-2026-44175 in Kirbyinfo

Summary

by MITRE • 07/17/2026

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting (XSS). Kirby's list field stores its formatted content as HTML, and unlike other field types, its HTML special characters cannot be escaped without losing the formatting. Sanitization was only enforced client-side in the Panel, while the server did not sanitize the content on save. As a result, an attacker could bypass the Panel and send malicious HTML directly to Kirby's API, storing unsanitized markup in the content file. That markup would then be rendered on the site frontend and executed in the browsers of site visitors and logged-in users browsing the site, resulting in persistent XSS. This issue has been fixed in versions 4.9.1 and 5.4.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability in Kirby CMS represents a critical cross-site scripting flaw that emerged from improper input sanitization practices within the list field functionality. This security weakness affected versions prior to 4.9.1 and 5.4.1, creating a persistent threat vector that could be exploited by malicious actors to compromise user sessions and execute unauthorized code within the context of affected websites. The vulnerability stems from the fundamental design approach where HTML content was stored in its raw format without adequate server-side validation, creating a dangerous gap between client-side and server-side security controls.

The technical flaw manifests specifically in how Kirby handles list field data processing, where the system stores formatted HTML content directly without proper sanitization measures. Unlike other field types within the CMS that implement robust escaping mechanisms to prevent XSS attacks, the list field was designed to preserve formatting capabilities by storing raw HTML markup. This design choice created a security loophole because while client-side sanitization occurred in the Panel interface, the server-side API endpoint lacked equivalent protection mechanisms. The absence of server-side validation allowed malicious payloads to be submitted directly through API calls bypassing the Panel's client-side safeguards entirely.

The operational impact of this vulnerability extends beyond simple script execution to encompass potential session hijacking and data theft scenarios. When unsanitized HTML content was stored in the content files, it would subsequently render on the website frontend whenever users accessed pages containing the compromised data. This persistent XSS attack vector meant that every visitor to the site, whether logged-in or not, could be exposed to malicious scripts executing within their browser context. The vulnerability was particularly dangerous because it did not require authentication for exploitation and could affect any user who visited the compromised website, making it a significant threat to both administrators and general site visitors.

Security professionals should note this vulnerability aligns with CWE-79 (Cross-site Scripting) and follows patterns commonly associated with ATT&CK technique T1566.001 (Phishing via Social Media) where malicious payloads are embedded in website content to compromise user systems. The remediation approach implemented by Kirby developers addressed the root cause by enforcing consistent sanitization across both client-side and server-side processing, ensuring that all input passes through proper validation regardless of submission method. Organizations using affected versions should prioritize immediate upgrade to versions 4.9.1 or 5.4.1 respectively, while also implementing additional monitoring measures to detect potential exploitation attempts. The fix demonstrates the importance of defense-in-depth principles where multiple layers of security controls work together to prevent similar vulnerabilities from compromising system integrity and user safety.

Responsible

GitHub M

Reservation

05/05/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!