CVE-2026-45368 in Kirbyinfo

Summary

by MITRE • 07/17/2026

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers that produce `<a href="…">` output from editor-supplied field values: the (`link: …)` KirbyTag, the `link`: parameter of the `(image: …)` KirbyTag when it does not resolve to a known file or `self`, the `link` field of the built-in image block, and the HTML importer for the `blocks` field (which accepted the same malicious input as the image block `link` field). While simple `avascript:` URLs were already deactivated by treating them as a relative path and prepending a single slash to the URL, the use of URLs of the format `javascript://x%0A…` bypasses this protection. The `vbscript:`, `data:`, `livescript:`, `mocha:` and `jar:` schemes are affected by the same underlying gap. This issue has been fixed in versions 4.9.1 and 5.4.1.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability represents a critical cross-site scripting flaw in Kirby CMS affecting versions prior to 4.9.1 and 5.4.1, where the URL filtering mechanisms fail to properly sanitize malicious script execution URLs. The issue stems from insufficient input validation in four primary renderer components that process user-supplied content, specifically the link: KirbyTag, image: KirbyTag's link parameter, image block link field, and HTML importer for blocks fields. These components generate HTML anchor tags without adequate sanitization of potentially dangerous URL schemes, creating multiple attack vectors for malicious actors to inject executable code.

The technical exploitation occurs through specific URL format bypasses that circumvent existing security measures designed to prevent javascript: URLs from executing. While the system already handled simple javascript: URLs by treating them as relative paths and prepending a forward slash, attackers discovered that URLs formatted as javascript://x%0A... could bypass this protection mechanism. This demonstrates a fundamental flaw in the URL sanitization logic where encoded characters and alternate scheme representations were not properly filtered. The vulnerability extends beyond javascript: to include vbscript:, data:, livescript:, mocha:, and jar: schemes, all of which share the same underlying filtering gap that allows malicious code execution through seemingly innocuous user input fields.

The operational impact of this vulnerability is severe as it enables remote code execution through content management interfaces where attackers can inject malicious URLs into editable fields. When processed by any of the affected renderers, these URLs could trigger script execution in users' browsers when the rendered content is viewed, potentially leading to session hijacking, data theft, or full system compromise. The vulnerability affects both content editors and end-users since the malicious code executes during page rendering regardless of user permissions. Given that Kirby's core functionality relies on user-generated content through its rich text editors and block-based systems, this issue creates a persistent attack surface across multiple content types.

Security mitigations for this vulnerability require immediate upgrading to patched versions 4.9.1 or 5.4.1 which implement comprehensive URL sanitization across all affected components. Organizations should also implement additional input validation layers at the application level and consider implementing content security policies to further restrict script execution within rendered content. The fix addresses the core CWE-79 (Cross-site Scripting) vulnerability pattern while specifically targeting the improper neutralization of special elements in web applications. This issue aligns with ATT&CK technique T1203 (Exploitation for Client Execution) and demonstrates how seemingly minor input filtering gaps can create severe security implications in content management systems. Organizations should conduct thorough audits of their content management workflows to identify any other potential bypasses in URL handling mechanisms and ensure that all user-supplied data undergoes proper sanitization before rendering.

Responsible

GitHub M

Reservation

05/12/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!