{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45368/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cms (\u003c= 4.9.0)","cms (\u003e= 5.0.0, \u003c= 5.4.0)"],"_cs_severities":["high"],"_cs_tags":["xss","kirbycms","cve-2026-45368"],"_cs_type":"threat","_cs_vendors":["getkirby"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists in Kirby CMS affecting sites that utilize the \u003ccode\u003e(link: …)\u003c/code\u003e KirbyTag, the \u003ccode\u003elink:\u003c/code\u003e parameter of the \u003ccode\u003e(image: …)\u003c/code\u003e KirbyTag, the built-in \u003ccode\u003eimage\u003c/code\u003e block with a link, or the HTML importer for blocks. The vulnerability, identified as CVE-2026-45368, can be exploited by an authenticated Panel user with update permissions to \u003ccode\u003etextarea\u003c/code\u003e or \u003ccode\u003eblocks\u003c/code\u003e fields, or write access to content files via other means. Successful exploitation allows an attacker to inject malicious JavaScript into content, which will then execute in the browsers of other site visitors or logged-in users who interact with the crafted links. This can lead to session hijacking, data theft, or other malicious activities within the context of the affected user\u0026rsquo;s browser session. The issue is patched in Kirby versions 4.9.1 and 5.4.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the Kirby CMS Panel with permissions to edit content.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a page or content section with a \u003ccode\u003etextarea\u003c/code\u003e or \u003ccode\u003eblocks\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious link using either the \u003ccode\u003e(link: …)\u003c/code\u003e KirbyTag, the \u003ccode\u003elink:\u003c/code\u003e parameter of the \u003ccode\u003e(image: …)\u003c/code\u003e KirbyTag, the built-in \u003ccode\u003eimage\u003c/code\u003e block, or the HTML importer. This link uses a \u003ccode\u003ejavascript:\u003c/code\u003e, \u003ccode\u003evbscript:\u003c/code\u003e, \u003ccode\u003elivescript:\u003c/code\u003e, \u003ccode\u003emocha:\u003c/code\u003e, \u003ccode\u003ejar:\u003c/code\u003e, or \u003ccode\u003edata:\u003c/code\u003e URI scheme with an embedded JavaScript payload.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the content, persisting the malicious link in the CMS database.\u003c/li\u003e\n\u003cli\u003eA user visits the page containing the malicious link on the site frontend.\u003c/li\u003e\n\u003cli\u003eThe malicious link is rendered as an \u003ccode\u003e\u0026lt;a\u0026gt;\u003c/code\u003e tag in the HTML of the page.\u003c/li\u003e\n\u003cli\u003eThe user clicks on the malicious link.\u003c/li\u003e\n\u003cli\u003eThe browser executes the JavaScript payload embedded in the \u003ccode\u003ehref\u003c/code\u003e attribute of the link within the user\u0026rsquo;s session, potentially allowing the attacker to perform actions on behalf of the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-45368) could allow an attacker to execute arbitrary JavaScript code in the context of other users\u0026rsquo; browsers. This can lead to session hijacking, where the attacker gains control of a user\u0026rsquo;s authenticated session within the Kirby CMS Panel, potentially escalating privileges to administrative roles. Other potential impacts include defacement of the website, theft of sensitive information, or redirection of users to malicious websites. The severity is high due to the ease of exploitation and potential for widespread impact on site visitors and administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Kirby CMS to version 4.9.1 or 5.4.1 or later to patch CVE-2026-45368, as indicated in the patch information.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Javascript URI Scheme in Link Tag\u003c/code\u003e to detect attempts to inject malicious links with dangerous URI schemes.\u003c/li\u003e\n\u003cli\u003eEducate content editors about the risks of XSS and the importance of sanitizing user-supplied input, referencing the affected components described in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T17:44:19Z","date_published":"2026-05-27T17:44:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/","summary":"Kirby CMS is vulnerable to stored cross-site scripting (XSS) due to insufficient sanitization of links within KirbyTags and image blocks, allowing authenticated users with content editing privileges to inject malicious JavaScript that executes when other users interact with the crafted links on the site frontend; patched in versions 4.9.1 and 5.4.1.","title":"Kirby CMS Stored XSS Vulnerability in KirbyTags and Image Blocks (CVE-2026-45368)","url":"https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45368","version":"https://jsonfeed.org/version/1.1"}