{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kirby-cms--5.0.0-alpha.1--5.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Authenticated Panel User"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kirby CMS (\u003c= 4.9.3)","Kirby CMS (\u003e= 5.0.0-alpha.1, \u003c= 5.4.3)"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","cms","kirby-cms"],"_cs_type":"threat","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eA high-severity cross-site scripting (XSS) vulnerability, identified as CVE-2026-54002, affects Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3. This flaw stems from incomplete HTML/XML sanitization within the \u003ccode\u003eDom::sanitize()\u003c/code\u003e method, which is integral to the platform's content processing, including \u003ccode\u003ewriter\u003c/code\u003e and \u003ccode\u003elist\u003c/code\u003e fields, and \u003ccode\u003eSane\u003c/code\u003e API functions. An authenticated Panel user can exploit this by injecting malicious markup as children of unknown HTML/XML tags. The \u003ccode\u003eDom::sanitize()\u003c/code\u003e method fails to correctly sanitize these unwrapped child nodes, allowing the malicious content to be stored and subsequently executed as JavaScript in the browser of other users, including administrators, when they view the affected content in the Panel or on the site frontend. This creates a risk of privilege escalation and other client-side attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the Kirby CMS Panel with legitimate credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to an editable content field, such as a \u003ccode\u003ewriter\u003c/code\u003e or \u003ccode\u003elist\u003c/code\u003e field, or interacts with a custom plugin using the \u003ccode\u003eSane\u003c/code\u003e API functions (\u003ccode\u003e$dom-\u0026gt;sanitize()\u003c/code\u003e, \u003ccode\u003eSane::sanitizeFile()\u003c/code\u003e, etc.).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts and injects malicious markup, specifically including JavaScript code (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert('XSS')\u0026lt;/script\u0026gt;\u003c/code\u003e) as children of an unknown HTML/XML tag (e.g., \u003ccode\u003e\u0026lt;foo\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0026lt;/foo\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Kirby backend processes the submitted content, invoking the vulnerable \u003ccode\u003eDom::sanitize()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eDue to the flaw, \u003ccode\u003eDom::sanitize()\u003c/code\u003e unwraps the unknown parent tag but fails to sanitize the malicious child nodes, allowing the JavaScript payload to be saved unsanitized into the content data.\u003c/li\u003e\n\u003cli\u003eAnother user, potentially a higher-privileged administrator, accesses the Panel or frontend page where the maliciously injected content is displayed.\u003c/li\u003e\n\u003cli\u003eThe victim's web browser renders the unsanitized content, leading to the execution of the injected JavaScript within their session context.\u003c/li\u003e\n\u003cli\u003eThe executed script can steal session cookies, perform unauthorized actions via Kirby's API (e.g., privilege escalation), redirect the user, or deface the interface, compromising the victim's account and potentially the entire CMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability poses a significant risk to affected Kirby CMS installations, particularly those with multiple authenticated users where some may be untrusted or malicious. Successful exploitation allows for stored XSS, meaning the injected JavaScript persists and executes each time the compromised content is viewed. This can lead to privilege escalation, enabling lower-privileged authenticated users to escalate their access by compromising higher-privileged user sessions (e.g., administrators). The impact can range from session hijacking, data exfiltration through unauthorized API calls to Kirby's backend, to defacement or other client-side attacks affecting any user viewing the malicious content. The advisory notes that content stored before patching may still contain malicious payloads, emphasizing the persistent nature of the threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54002\u003c/strong\u003e: Immediately update Kirby CMS to version 4.9.4, 5.4.4, or a later release to remediate the sanitization flaw.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview and Re-sanitize Content\u003c/strong\u003e: If untrusted authenticated users had access to the Kirby Panel on a security-critical site, review and re-sanitize all existing content that may have passed through affected fields (e.g., \u003ccode\u003ewriter\u003c/code\u003e, \u003ccode\u003elist\u003c/code\u003e fields, or custom code using \u003ccode\u003eSane\u003c/code\u003e API) for potential malicious payloads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rule for XSS Attempts\u003c/strong\u003e: Deploy the \u003ccode\u003eDetect CVE-2026-54002 XSS Injection in Kirby Panel\u003c/code\u003e Sigma rule to your webserver logs (category \u003ccode\u003ewebserver\u003c/code\u003e) to identify attempts to inject XSS payloads into Kirby content fields.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement WAF/API Security\u003c/strong\u003e: Implement a Web Application Firewall (WAF) or API security gateway to block requests containing known XSS patterns targeting CMS editing endpoints, acting as an additional layer of defense.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:25:22Z","date_published":"2026-06-18T15:25:22Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kirby-xss-dom-sanitize/","summary":"A high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.","title":"Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize()","url":"https://feed.craftedsignal.io/briefs/2026-06-kirby-xss-dom-sanitize/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kirby CMS (\u003c= 4.9.3)","Kirby CMS (\u003e= 5.0.0-alpha.1, \u003c= 5.4.3)"],"_cs_severities":["critical"],"_cs_tags":["web-vulnerability","cms","initial-access","privilege-escalation","kirby"],"_cs_type":"advisory","_cs_vendors":["Kirby"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-54003, affects Kirby CMS versions up to 4.9.3 and from 5.0.0-alpha.1 to 5.4.3. This flaw, dubbed \u0026quot;External Initialization,\u0026quot; enables unauthenticated remote attackers to create the initial administrative user account, effectively installing the Kirby Panel with full control over the CMS. The vulnerability arises in specific configurations where Kirby sites, without any configured user accounts, operate behind a reverse proxy that uses the \u003ccode\u003eForwarded: for=...\u003c/code\u003e, \u003ccode\u003eX-Client-IP\u003c/code\u003e, or \u003ccode\u003eX-Real-IP\u003c/code\u003e HTTP headers. Kirby's \u003ccode\u003eisLocal\u003c/code\u003e check, designed to prevent remote installation, failed to properly account for these headers, leading it to incorrectly assume a remote connection was local. This misidentification grants an attacker the ability to bypass security controls and seize control of the Kirby instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: Attacker identifies a publicly accessible Kirby CMS instance lacking any configured user accounts, typically indicated by a redirect to the installation wizard upon accessing the Panel URL (\u003ccode\u003e/panel\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReverse Proxy Identification\u003c/strong\u003e: Attacker determines that the target Kirby instance is fronted by a reverse proxy that uses \u003ccode\u003eForwarded: for=...\u003c/code\u003e, \u003ccode\u003eX-Client-IP\u003c/code\u003e, or \u003ccode\u003eX-Real-IP\u003c/code\u003e headers for client IP forwarding.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Request\u003c/strong\u003e: Attacker crafts an HTTP POST request to the Kirby Panel installation endpoint (e.g., \u003ccode\u003e/api/system/install\u003c/code\u003e or similar, depending on Kirby version and setup), including a forged \u003ccode\u003eForwarded\u003c/code\u003e, \u003ccode\u003eX-Client-IP\u003c/code\u003e, or \u003ccode\u003eX-Real-IP\u003c/code\u003e header set to a local IP address (e.g., \u003ccode\u003e127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass \u003ccode\u003eisLocal\u003c/code\u003e Check\u003c/strong\u003e: The crafted request containing the local IP in the vulnerable header is forwarded by the reverse proxy to the Kirby backend. Kirby's \u003ccode\u003eisLocal\u003c/code\u003e check misinterprets the request as originating from a local source due to the forged header.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Admin Account Creation\u003c/strong\u003e: The Kirby application proceeds with the installation process, allowing the attacker to provide desired credentials (username, password, email) for a new administrator account via the HTTP POST body.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator Access\u003c/strong\u003e: Upon successful submission, the attacker-defined administrator account is created, granting full administrative control over the Kirby CMS instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation\u003c/strong\u003e: The attacker can now perform any actions available to an administrator, including content modification, data exfiltration, plugin installation, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54003 grants unauthenticated attackers full administrative control over the affected Kirby CMS instance. This directly leads to complete compromise of the website, allowing for arbitrary content modification, defacement, data theft (including user information if stored), and potentially the injection of malicious code or backdoors into the web application. Given Kirby's use in various industries for content management, the potential victim scope includes any organization or individual utilizing unpatched Kirby versions behind specific reverse proxy configurations with no existing admin users. The vulnerability's criticality stems from the ease of exploitation and the immediate elevation to administrative privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54003 immediately\u003c/strong\u003e: Update Kirby CMS to version \u003ccode\u003e4.9.4\u003c/code\u003e, \u003ccode\u003e5.4.4\u003c/code\u003e, or a later patched version as detailed in the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the provided Sigma rules\u003c/strong\u003e: Implement the \u003ccode\u003eDetects CVE-2026-54003 Exploitation - Kirby Remote Panel Init\u003c/code\u003e rules to your SIEM to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfigure Workarounds\u003c/strong\u003e: If immediate patching is not feasible, perform the Panel installation yourself by creating an initial admin account. This disables the vulnerable installation code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Panel API\u003c/strong\u003e: As an alternative workaround, if the Panel is not needed, disable the REST API with the \u003ccode\u003e'api' =\u0026gt; false\u003c/code\u003e option in \u003ccode\u003econfig.php\u003c/code\u003e to prevent access to the installation endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Reverse Proxy Configuration\u003c/strong\u003e: Ensure your reverse proxy is configured to properly handle \u003ccode\u003eX-Forwarded-For\u003c/code\u003e or \u003ccode\u003eClient-IP\u003c/code\u003e headers if possible, or verify that \u003ccode\u003eForwarded: for=...\u003c/code\u003e, \u003ccode\u003eX-Client-IP\u003c/code\u003e, and \u003ccode\u003eX-Real-IP\u003c/code\u003e are not inadvertently exposing internal IP addresses or being spoofed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:18:49Z","date_published":"2026-06-18T15:18:49Z","id":"https://feed.craftedsignal.io/briefs/2026-06-kirby-external-panel-init/","summary":"A critical external initialization vulnerability (CVE-2026-54003) in Kirby CMS allows unauthenticated attackers to create an initial admin account on sites running behind a reverse proxy, specifically when the proxy utilizes `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers, bypassing Kirby's `isLocal` check and enabling remote Panel installation with full administrative access.","title":"Critical Kirby CMS Vulnerability Allows Remote Admin Account Creation via Reverse Proxy Headers (CVE-2026-54003)","url":"https://feed.craftedsignal.io/briefs/2026-06-kirby-external-panel-init/"}],"language":"en","title":"CraftedSignal Threat Feed - Kirby CMS (\u003e= 5.0.0-Alpha.1, \u003c= 5.4.3)","version":"https://jsonfeed.org/version/1.1"}