Tag
high
threat
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize()
2 rules 2 TTPsA high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54002, exists in Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3, allowing authenticated Panel users to inject malicious markup into `writer` or `list` fields or via `Sane` API-dependent custom code, leading to stored XSS and potential privilege escalation.
Kirby CMS +1
Authenticated Panel User
xss
web-application
cms
kirby-cms
2r
2t
high
threat
Kirby CMS Pre-Authentication Path Traversal and PHP File Inclusion
2 rules 1 TTPKirby CMS versions 5.3.0 through 5.4.0 are vulnerable to pre-authentication path traversal, allowing an attacker to include arbitrary PHP files with the filename `index.php`, potentially leading to sensitive information disclosure or malicious actions due to insufficient validation of the provided user ID during user lookup.
cms
path-traversal
php-file-inclusion
kirby-cms
CVE-2026-44177
2r
1t