{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cms--4.9.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cms (\u003c= 4.9.0)","cms (\u003e= 5.0.0, \u003c= 5.4.0)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-code-execution","privilege-escalation","web-application"],"_cs_type":"threat","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eKirby CMS versions before 4.9.1 and versions 5.0.0 through 5.4.0 are susceptible to an arbitrary method call vulnerability via its REST API. The vulnerability stems from insufficient validation of model attributes used in collection queries. An authenticated attacker with access to the Panel can exploit this to invoke arbitrary model methods, potentially leading to sensitive data disclosure (e.g., password hashes, filesystem paths) or unauthorized actions like privilege escalation or data deletion. This issue affects all Kirby sites where potential attackers are authenticated Panel users. The vulnerability was reported responsibly and has been addressed in Kirby versions 4.9.1 and 5.4.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Kirby Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious REST API request targeting a collection endpoint such as \u003ccode\u003e/site/children\u003c/code\u003e or \u003ccode\u003e/users\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a collection query parameter (e.g., \u003ccode\u003efilter\u003c/code\u003e, \u003ccode\u003esort\u003c/code\u003e) with an arbitrary model method as the attribute.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Kirby CMS endpoint processes the request without proper validation of the model attribute.\u003c/li\u003e\n\u003cli\u003eThe specified model method is executed, potentially disclosing sensitive information like password hashes via \u003ccode\u003epassword()\u003c/code\u003e or filesystem paths via \u003ccode\u003eroot()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could trigger impactful actions like privilege escalation by calling \u003ccode\u003eloginPasswordless()\u003c/code\u003e or data deletion by calling \u003ccode\u003edelete()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or causes data loss, depending on the method called and the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to disclose sensitive information or perform unauthorized actions. This can lead to complete compromise of the Kirby CMS instance, including unauthorized access to content, modification of data, or denial of service.  The impact is high, affecting all Kirby sites with authenticated Panel users, leading to privilege escalation or data loss, depending on the permissions of the authenticated user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.1, 5.4.1, or later to patch CVE-2026-44174.\u003c/li\u003e\n\u003cli\u003eImplement input validation on REST API endpoints to prevent arbitrary method calls.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious API requests containing potentially malicious method calls in query parameters.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:52:40Z","date_published":"2026-05-26T23:52:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-method-call/","summary":"Kirby CMS is vulnerable to arbitrary method call via REST API search and collection query endpoints, allowing attackers to execute sensitive methods like password disclosure or privilege escalation, patched in versions 4.9.1 and 5.4.1.","title":"Kirby CMS Arbitrary Method Call Vulnerability via REST API","url":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-method-call/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cms (\u003c= 4.9.0)","cms (\u003e= 5.0.0, \u003c= 5.4.0)"],"_cs_severities":["high"],"_cs_tags":["xss","CVE-2026-44175","kirby-cms","web-application"],"_cs_type":"threat","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eKirby CMS versions prior to 4.9.1 and from 5.0.0 to 5.4.0 are susceptible to a stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-44175, stemming from the improper sanitization of list field content. This vulnerability affects all Kirby sites that use the list field or list block when content is authored by users who may not be fully trusted. An attacker requires an authenticated Panel user with update permission to any list field or list block. The attack surfaces in the site frontend, not the Panel itself. Kirby sites are not affected if they don\u0026rsquo;t use the list field (or blocks field with the list block) in any of their blueprints, or if every user who can edit content is fully trusted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the Kirby Panel with update permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a page or content structure that utilizes a \u0026rsquo;list\u0026rsquo; field or \u0026lsquo;blocks\u0026rsquo; field with the \u0026rsquo;list\u0026rsquo; block.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code embedded within HTML tags.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the \u0026rsquo;list\u0026rsquo; field content, either directly via API or through the Panel\u0026rsquo;s editing interface.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified content. The injected payload is stored within the content files on the server.\u003c/li\u003e\n\u003cli\u003eA user (either another authenticated user or an unauthenticated visitor) requests the page containing the affected \u0026rsquo;list\u0026rsquo; field on the site frontend.\u003c/li\u003e\n\u003cli\u003eThe server renders the page, including the injected malicious HTML code from the \u0026rsquo;list\u0026rsquo; field.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the injected JavaScript code, potentially leading to session hijacking, data theft, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-44175) allows an attacker to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s browser session. This can lead to credential theft, session hijacking, defacement of the website, or redirection to malicious sites. The impact is high severity, as it affects all Kirby sites using the list field when content is authored by users who may not be fully trusted. The number of victims depends on the number of affected sites and the frequency with which users access pages containing the injected payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kirby CMS version 4.9.1 or 5.4.1 or later to apply the patch that sanitizes list field content, mitigating the XSS vulnerability (CVE-2026-44175).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and output encoding mechanisms on all user-supplied data within the Kirby CMS environment.\u003c/li\u003e\n\u003cli\u003eReview existing content for potentially malicious code within list fields and sanitize the content.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) with rules to detect and block XSS attacks targeting Kirby CMS, specifically focusing on the \u0026rsquo;list\u0026rsquo; field and \u0026lsquo;blocks\u0026rsquo; field inputs.\u003c/li\u003e\n\u003cli\u003eEnable logging for all API requests to the Kirby Panel to monitor for suspicious activity and potential payload injections.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:52:25Z","date_published":"2026-05-26T23:52:25Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/","summary":"Kirby CMS is vulnerable to cross-site scripting (XSS) via the list field or list block, allowing an authenticated Panel user with update permission to inject malicious HTML code into the content file, which is then executed in the browsers of site visitors and logged-in users; the vulnerability is tracked as CVE-2026-44175 and has been patched in versions 4.9.1 and 5.4.1.","title":"Kirby CMS Vulnerable to Cross-Site Scripting (XSS) via List Field Content (CVE-2026-44175)","url":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cms (\u003c= 4.9.0)","version":"https://jsonfeed.org/version/1.1"}