CVE-2026-54002 in Kirby
Summary
by MITRE • 07/09/2026
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sanitize(), Sane::sanitizeFile(), or file sanitizeContents() with untrusted input allow malicious markup injected as children of an unknown HTML or XML tag to pass through Dom::sanitize() without being correctly sanitized, causing stored cross-site scripting. This issue is fixed in versions 4.9.4 and 5.4.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability affects Kirby content management systems where specific field types and sanitization functions fail to properly handle untrusted input containing malicious markup within unknown HTML or XML tags. The flaw exists in versions prior to 4.9.4 and 5.4.4, creating a persistent cross-site scripting risk when sites utilize writer or list fields, or directly call various sanitize functions including Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sanitize(), Sane::sanitizeFile(), or file sanitizeContents(). The root cause stems from improper handling of nested markup structures where malicious content injected as children of unknown tags bypasses the intended sanitization filters, allowing attackers to store malicious scripts that execute in users' browsers when content is rendered. This represents a critical security flaw categorized under CWE-79 (Cross-site Scripting) and specifically manifests as CWE-116 (Improper Encoding or Escaping of Output) when sanitization functions fail to properly escape or remove dangerous markup patterns.
The operational impact of this vulnerability extends beyond simple script execution as it allows attackers to perform persistent XSS attacks that can compromise user sessions, steal sensitive information, manipulate content, or redirect users to malicious sites. When users view pages containing the stored malicious markup, their browsers execute the injected scripts within the context of the vulnerable site, potentially enabling full account takeovers, data exfiltration, or defacement of content management interfaces. The vulnerability affects both the core system and third-party plugins that rely on these sanitization functions, creating widespread exposure across Kirby installations. Attackers can leverage this weakness to inject malicious JavaScript code through seemingly legitimate content submission processes, making detection more difficult as the malicious markup appears to be part of normal content creation workflows.
Security mitigations for this vulnerability require immediate upgrade to Kirby versions 4.9.4 or 5.4.4 where the sanitization logic has been properly patched to correctly handle unknown HTML/XML tag structures and their child elements. Organizations should implement additional defensive measures including input validation at multiple layers, content security policies to limit script execution, and regular security scanning of uploaded content. The ATT&CK framework categorizes this as a technique involving T1566 (Phishing) and T1059 (Command and Scripting Interpreter) where attackers can establish persistent access through stored XSS vulnerabilities. Additional protective measures include implementing strict sanitization policies for all user-generated content, monitoring for unusual content patterns, and conducting regular penetration testing to identify similar sanitization weaknesses in other components of the web application stack. Security teams should also consider implementing web application firewalls that can detect and block suspicious markup patterns attempting to exploit this class of vulnerability.