Kirby-Cms

Kirby CMS versions 5.3.0 through 5.4.0 are vulnerable to pre-authentication path traversal, allowing an attacker to include arbitrary PHP files with the filename `index.php`, potentially leading to sensitive information disclosure or malicious actions due to insufficient validation of the provided user ID during user lookup.

Kirby CMS is vulnerable to cross-site scripting (XSS) via the list field or list block, allowing an authenticated Panel user with update permission to inject malicious HTML code into the content file, which is then executed in the browsers of site visitors and logged-in users; the vulnerability is tracked as CVE-2026-44175 and has been patched in versions 4.9.1 and 5.4.1.