cbcvebase.
CVE-2026-49276
published 2026-06-18

CVE-2026-49276: Kirby: Self cross-site scripting (self-XSS) in the writer field ### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It…

high
Kirby: Self cross-site scripting (self-XSS) in the writer field

### TL;DR

This vulnerability affects Kirby sites that use the writer field in any blueprint.

It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.

A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.

In Kirby's default configuration, the vulnerability is limited to self-XSS and *cannot* directly affect other users or visitors of the site. Panel plugins that are directly using the `` component may also be affected by stored XSS if they don't sanitize the resulting HTML before saving it to the content.

**This vulnerability is of high severity for affected sites.**

----

### Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby's API with the permissions of the victim.

*Self* cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields.

In a *stored* XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

### Affected components

The `writer` field allows users t

Affected

2 ranges
VendorProductVersion rangeFixed in
getkirbycms>= 0 < 4.9.44.9.4
getkirbycms>= 5.0.0-alpha.1 < 5.4.45.4.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.