Tag
Kirby CMS is vulnerable to cross-site scripting (XSS) via the list field or list block, allowing an authenticated Panel user with update permission to inject malicious HTML code into the content file, which is then executed in the browsers of site visitors and logged-in users; the vulnerability is tracked as CVE-2026-44175 and has been patched in versions 4.9.1 and 5.4.1.