{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/authenticated-panel-user/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Authenticated Panel User"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kirby CMS (\u003c= 4.9.3)","Kirby CMS (\u003e= 5.0.0-alpha.1, \u003c= 5.4.3)"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","cms","kirby-cms"],"_cs_type":"threat","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eA high-severity cross-site scripting (XSS) vulnerability, identified as CVE-2026-54002, affects Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3. This flaw stems from incomplete HTML/XML sanitization within the \u003ccode\u003eDom::sanitize()\u003c/code\u003e method, which is integral to the platform's content processing, including \u003ccode\u003ewriter\u003c/code\u003e and \u003ccode\u003elist\u003c/code\u003e fields, and \u003ccode\u003eSane\u003c/code\u003e API functions. An authenticated Panel user can exploit this by injecting malicious markup as children of unknown HTML/XML tags. The \u003ccode\u003eDom::sanitize()\u003c/code\u003e method fails to correctly sanitize these unwrapped child nodes, allowing the malicious content to be stored and subsequently executed as JavaScript in the browser of other users, including administrators, when they view the affected content in the Panel or on the site frontend. This creates a risk of privilege escalation and other client-side attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the Kirby CMS Panel with legitimate credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to an editable content field, such as a \u003ccode\u003ewriter\u003c/code\u003e or \u003ccode\u003elist\u003c/code\u003e field, or interacts with a custom plugin using the \u003ccode\u003eSane\u003c/code\u003e API functions (\u003ccode\u003e$dom-\u0026gt;sanitize()\u003c/code\u003e, \u003ccode\u003eSane::sanitizeFile()\u003c/code\u003e, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and injects malicious markup, specifically including JavaScript code (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert('XSS')\u0026lt;/script\u0026gt;\u003c/code\u003e) as children of an unknown HTML/XML tag (e.g., \u003ccode\u003e\u0026lt;foo\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0026lt;/foo\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Kirby backend processes the submitted content, invoking the vulnerable \u003ccode\u003eDom::sanitize()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDue to the flaw, \u003ccode\u003eDom::sanitize()\u003c/code\u003e unwraps the unknown parent tag but fails to sanitize the malicious child nodes, allowing the JavaScript payload to be saved unsanitized into the content data.\u003c/li\u003e\n\u003cli\u003eAnother user, potentially a higher-privileged administrator, accesses the Panel or frontend page where the maliciously injected content is displayed.\u003c/li\u003e\n\u003cli\u003eThe victim's web browser renders the unsanitized content, leading to the execution of the injected JavaScript within their session context.\u003c/li\u003e\n\u003cli\u003eThe executed script can steal session cookies, perform unauthorized actions via Kirby's API (e.g., privilege escalation), redirect the user, or deface the interface, compromising the victim's account and potentially the entire CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability poses a significant risk to affected Kirby CMS installations, particularly those with multiple authenticated users where some may be untrusted or malicious. Successful exploitation allows for stored XSS, meaning the injected JavaScript persists and executes each time the compromised content is viewed. This can lead to privilege escalation, enabling lower-privileged authenticated users to escalate their access by compromising higher-privileged user sessions (e.g., administrators). The impact can range from session hijacking, data exfiltration through unauthorized API calls to Kirby's backend, to defacement or other client-side attacks affecting any user viewing the malicious content. The advisory notes that content stored before patching may still contain malicious payloads, emphasizing the persistent nature of the threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54002\u003c/strong\u003e: Immediately update Kirby CMS to version 4.9.4, 5.4.4, or a later release to remediate the sanitization flaw.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview and Re-sanitize Content\u003c/strong\u003e: If untrusted authenticated users had access to the Kirby Panel on a security-critical site, review and re-sanitize all existing content that may have passed through affected fields (e.g., \u003ccode\u003ewriter\u003c/code\u003e, \u003ccode\u003elist\u003c/code\u003e fields, or custom code using \u003ccode\u003eSane\u003c/code\u003e API) for potential malicious payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rule for XSS Attempts\u003c/strong\u003e: Deploy the \u003ccode\u003eDetect CVE-2026-54002 XSS Injection in Kirby Panel\u003c/code\u003e Sigma rule to your webserver logs (category \u003ccode\u003ewebserver\u003c/code\u003e) to identify attempts to inject XSS payloads into Kirby content fields.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement WAF/API Security\u003c/strong\u003e: Implement a Web Application Firewall (WAF) or API security gateway to block requests containing known XSS patterns targeting CMS editing endpoints, acting as an additional layer of defense.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:25:22Z","date_published":"2026-06-18T15:25:22Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kirby-xss-dom-sanitize/","summary":"A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.","title":"Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize()","url":"https://feed.craftedsignal.io/briefs/2026-06-kirby-xss-dom-sanitize/"}],"language":"en","title":"CraftedSignal Threat Feed - Authenticated Panel User","version":"https://jsonfeed.org/version/1.1"}