Product

Kirby CMS (<= 4.9.3)

2 briefs RSS

Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize()

A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.

Kirby CMS +1 Authenticated Panel User xss web-application cms kirby-cms

2r 2t 2d ago

critical advisory

Critical Kirby CMS Vulnerability Allows Remote Admin Account Creation via Reverse Proxy Headers (CVE-2026-54003)

2 rules 2 TTPs

A critical external initialization vulnerability (CVE-2026-54003) in Kirby CMS allows unauthenticated attackers to create an initial admin account on sites running behind a reverse proxy, specifically when the proxy utilizes `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers, bypassing Kirby's `isLocal` check and enabling remote Panel installation with full administrative access.

Kirby CMS +1 web-vulnerability cms initial-access privilege-escalation kirby

2r 2t 2d ago