{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/composer/getkirby/cms--5.0.0-alpha.1--5.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/getkirby/cms \u003c= 4.9.3","composer/getkirby/cms \u003e= 5.0.0-alpha.1, \u003c= 5.4.3"],"_cs_severities":["high"],"_cs_tags":["xss","self-xss","web-vulnerability","kirby","cms"],"_cs_type":"advisory","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eThe Kirby CMS is affected by a high-severity self-cross-site scripting (self-XSS) vulnerability, tracked as CVE-2026-49276, in its writer field. This flaw impacts Kirby sites using the writer field in any blueprint, specifically versions prior to 4.9.4 and versions 5.0.0-alpha.1 through 5.4.3. Attackers can inject malicious \u003ccode\u003ejavascript:\u003c/code\u003e URLs into link or email targets within the writer field. While the backend sanitizes these before storage, an authenticated Panel user who enters such a malicious link and then clicks it \u003cem\u003ebefore saving the content\u003c/em\u003e will execute the script in their browser. This can lead to the attacker making API requests with the victim's permissions. Successful exploitation typically requires social engineering and knowledge of the content structure, and cannot be automated. Panel plugins directly using the \u003ccode\u003e\u0026lt;k-writer\u0026gt;\u003c/code\u003e component may also be susceptible to stored XSS if they lack proper HTML sanitization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, with knowledge of the Kirby content structure, gains access to an authenticated Kirby Panel session (e.g., via stolen credentials or an insider threat).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a content page utilizing the \u003ccode\u003ewriter\u003c/code\u003e field within the Kirby Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003ejavascript:\u003c/code\u003e URL payload (e.g., \u003ccode\u003ejavascript:alert(document.domain)\u003c/code\u003e) and inputs it into a \u0026quot;custom\u0026quot; link or email target within the \u003ccode\u003ewriter\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker then socially engineers or persuades another authenticated user (e.g., an administrator) to open the same content page in the Panel.\u003c/li\u003e\n\u003cli\u003eThe victim user clicks the maliciously crafted \u003ccode\u003ejavascript:\u003c/code\u003e link that the attacker previously inserted into the \u003ccode\u003ewriter\u003c/code\u003e field, but \u003cem\u003ebefore\u003c/em\u003e saving the content changes.\u003c/li\u003e\n\u003cli\u003eUpon clicking, the malicious JavaScript code embedded in the link executes within the victim's browser context, operating with the victim's Panel permissions.\u003c/li\u003e\n\u003cli\u003eThe script can then perform actions such as triggering API requests to Kirby's backend, exfiltrating sensitive session data, or escalating privileges by changing user settings.\u003c/li\u003e\n\u003cli\u003eThis leads to unauthorized actions being performed under the victim's identity within the Kirby CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis self-XSS vulnerability can lead to significant compromise of the Kirby CMS Panel. If an administrator account is targeted, successful exploitation allows the attacker to execute arbitrary JavaScript within the administrator's browser session. This can facilitate privilege escalation, unauthorized modification of content, data exfiltration from the Panel, or further actions through Kirby's API using the victim's permissions. While primarily self-XSS, Panel plugins using the vulnerable \u003ccode\u003e\u0026lt;k-writer\u0026gt;\u003c/code\u003e component could enable stored XSS, affecting other users or site visitors if not properly sanitized. The attack's effectiveness relies on social engineering, meaning the number of direct victims is hard to quantify but the potential for high impact on targeted individuals or organizations is severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-49276 immediately by updating Kirby CMS to version 4.9.4, 5.4.4, or a later release.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-49276 Exploitation — Kirby Panel JS URL Submission\u0026quot; to your SIEM to identify attempts at submitting \u003ccode\u003ejavascript:\u003c/code\u003e scheme URLs to your Kirby Panel.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging, ensuring that full request bodies and URL parameters for POST requests to Kirby Panel endpoints (e.g., \u003ccode\u003e/panel/api/pages/*/fields/writer\u003c/code\u003e) are captured for forensic analysis and detection.\u003c/li\u003e\n\u003cli\u003eEducate users with Kirby Panel access, especially those with elevated privileges, about the risks of clicking untrusted links within the Panel interface, even if they appear to be self-generated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:26:57Z","date_published":"2026-06-18T15:26:57Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kirby-self-xss-writer-field/","summary":"Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3 are vulnerable to a self-cross-site scripting (self-XSS) flaw, CVE-2026-49276, in the writer field, allowing an attacker to inject malicious JavaScript as the target of a link or email link which, if clicked by an authenticated user before saving, will execute in their browser context, potentially making API requests with their permissions, while Panel plugins using the `\u003ck-writer\u003e` component may be vulnerable to stored XSS if they don't sanitize HTML.","title":"Kirby: Self cross-site scripting (self-XSS) in the writer field (CVE-2026-49276)","url":"https://feed.craftedsignal.io/briefs/2026-06-kirby-self-xss-writer-field/"}],"language":"en","title":"CraftedSignal Threat Feed - Composer/Getkirby/Cms \u003e= 5.0.0-Alpha.1, \u003c= 5.4.3","version":"https://jsonfeed.org/version/1.1"}