https://feed.craftedsignal.io/tags/kirby-cms/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 23:58:21 +0000https://feed.craftedsignal.io/briefs/2026-05-kirby-path-traversal/Tue, 26 May 2026 23:58:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-kirby-path-traversal/Kirby CMS versions 5.3.0 through 5.4.0 are vulnerable to pre-authentication path traversal, allowing an attacker to include arbitrary PHP files with the filename `index.php`, potentially leading to sensitive information disclosure or malicious actions due to insufficient validation of the provided user ID during user lookup.Kirby CMS versions 5.3.0 to 5.4.0 are vulnerable to a path traversal vulnerability. This flaw stems from insufficient validation of user IDs during user lookup, a performance improvement introduced in version 5.3.0. The vulnerability is pre-authentication, meaning no prior access is required. By exploiting this flaw, attackers can include arbitrary PHP files named index.php, potentially gaining the ability to execute malicious code or disclose sensitive information. This issue impacts the authentication API, users API, and any other instance where $users->find() is used with a request-provided email or user ID. Successful exploitation allows attackers to probe for the existence of arbitrary directories, enabling fingerprinting of the server setup, installed plugins, and content structure.

Attack Chain

1. An attacker sends a request to the authentication API, users API, or any endpoint using $users->find() with a crafted user ID.
2. The crafted user ID contains path traversal sequences (e.g., ../) to navigate outside the intended user account directory.
3. Kirby CMS constructs a file path using the manipulated user ID to locate the user’s account directory within site/accounts/.
4. Due to insufficient validation, the path traversal sequences are not properly sanitized.
5. The application attempts to include an index.php file from the traversed path.
6. If a file named index.php exists in the traversed directory, it is included and executed by the PHP interpreter.
7. Depending on the contents of the included index.php, sensitive information may be disclosed or arbitrary code may be executed.
8. The attacker leverages the code execution to further compromise the system or exfiltrate data.

Impact

The path traversal vulnerability in Kirby CMS versions 5.3.0 through 5.4.0 can lead to arbitrary PHP file inclusion, allowing attackers to execute malicious code or disclose sensitive data. Successful exploitation enables attackers to probe the existence of arbitrary directories on the server, facilitating fingerprinting of the server setup, installed plugins, and content structure. This vulnerability is rated high severity because it’s pre-authentication and enables full system compromise if a vulnerable index.php file is reachable.

Recommendation

• Upgrade to Kirby CMS version 5.4.1 or later to patch the vulnerability as advised in the Kirby 5.4.1 release notes.
• Deploy the Sigma rule Detect Kirby CMS Path Traversal Attempt to detect exploitation attempts by monitoring HTTP requests with path traversal sequences.
• Monitor web server logs for requests containing ../ sequences in the user ID or email parameters to identify potential path traversal attempts.

]]>highthreatpath-traversalphp-file-inclusionkirby-cmsCVE-2026-44177https://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/Tue, 26 May 2026 23:52:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-kirby-cms-xss/Kirby CMS is vulnerable to cross-site scripting (XSS) via the list field or list block, allowing an authenticated Panel user with update permission to inject malicious HTML code into the content file, which is then executed in the browsers of site visitors and logged-in users; the vulnerability is tracked as CVE-2026-44175 and has been patched in versions 4.9.1 and 5.4.1.Kirby CMS versions prior to 4.9.1 and from 5.0.0 to 5.4.0 are susceptible to a stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-44175, stemming from the improper sanitization of list field content. This vulnerability affects all Kirby sites that use the list field or list block when content is authored by users who may not be fully trusted. An attacker requires an authenticated Panel user with update permission to any list field or list block. The attack surfaces in the site frontend, not the Panel itself. Kirby sites are not affected if they don’t use the list field (or blocks field with the list block) in any of their blueprints, or if every user who can edit content is fully trusted.

Attack Chain

1. An attacker gains authenticated access to the Kirby Panel with update permissions.
2. The attacker identifies a page or content structure that utilizes a ’list’ field or ‘blocks’ field with the ’list’ block.
3. The attacker crafts a malicious payload containing JavaScript code embedded within HTML tags.
4. The attacker injects the malicious payload into the ’list’ field content, either directly via API or through the Panel’s editing interface.
5. The attacker saves the modified content. The injected payload is stored within the content files on the server.
6. A user (either another authenticated user or an unauthenticated visitor) requests the page containing the affected ’list’ field on the site frontend.
7. The server renders the page, including the injected malicious HTML code from the ’list’ field.
8. The user’s browser executes the injected JavaScript code, potentially leading to session hijacking, data theft, or other malicious actions.

Impact

Successful exploitation of this XSS vulnerability (CVE-2026-44175) allows an attacker to execute arbitrary JavaScript code in the context of a user’s browser session. This can lead to credential theft, session hijacking, defacement of the website, or redirection to malicious sites. The impact is high severity, as it affects all Kirby sites using the list field when content is authored by users who may not be fully trusted. The number of victims depends on the number of affected sites and the frequency with which users access pages containing the injected payload.

Recommendation

• Upgrade to Kirby CMS version 4.9.1 or 5.4.1 or later to apply the patch that sanitizes list field content, mitigating the XSS vulnerability (CVE-2026-44175).
• Implement strict input validation and output encoding mechanisms on all user-supplied data within the Kirby CMS environment.
• Review existing content for potentially malicious code within list fields and sanitize the content.
• Deploy a Web Application Firewall (WAF) with rules to detect and block XSS attacks targeting Kirby CMS, specifically focusing on the ’list’ field and ‘blocks’ field inputs.
• Enable logging for all API requests to the Kirby Panel to monitor for suspicious activity and potential payload injections.

]]>highthreatxssCVE-2026-44175kirby-cmsweb-application