Description
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
Published: 2026-04-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: XML Injection
Action: Immediate Patch
AI Analysis

Impact

Kirby's Xml::value() method improperly handles CDATA boilerplate when the input contains a valid CDATA section combined with extraneous XML markup. The flaw, a CWE‑91 weakness, allows attacker supplied input to bypass escaping and embed arbitrary XML fragments into output generated by site or plugin code. This could result in content tampering or manipulation of downstream systems that parse the flawed output.

Affected Systems

The problem exists in Kirby CMS versions prior to 4.9.0 in the 4.x series and prior to 5.4.0 in the 5.x series. It only affects sites or plugins that use the vulnerable XML creation utilities—Xml::tag(), Xml::create(), or Data::encode() with the 'xml' type. Sites that do not generate XML within their environment are not vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Exploitation would require an attacker to supply crafted input to the vulnerable XML functions, likely through a user‑facing form or a malicious plugin. The likely attack vector is an untrusted input channel that reaches these XML helpers. If an attacker succeeds, they can inject XML elements that downstream consumers might trust, leading to data corruption or privilege escalation within those workflows.

Generated by OpenCVE AI on April 28, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Kirby 4.9.0 or later, or to 5.4.0 or later, to apply the patched CDATA validation checks.
  • Identify any plugin or custom code that calls Xml::value(), Xml::tag(), Xml::create(), or Data::encode() with 'xml', and ensure they only process trusted or properly sanitized input.
  • Validate the resulting XML string before passing it to downstream systems, confirming it contains only CDATA blocks and no extraneous XML structure.

Generated by OpenCVE AI on April 28, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wfj-c55w-j9qr Kirby has XML injection in its XML creator toolkit
History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Getkirby
Getkirby kirby
CPEs cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*
Vendors & Products Getkirby
Getkirby kirby
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
Title Kirby has XML injection in its XML creator toolkit
Weaknesses CWE-91
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Getkirby Kirby
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T16:30:09.611Z

Reserved: 2026-03-16T21:03:44.419Z

Link: CVE-2026-32870

cve-icon Vulnrichment

Updated: 2026-04-24T16:30:06.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T01:16:11.953

Modified: 2026-04-27T19:21:18.017

Link: CVE-2026-32870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses