CVE-2026-49276
Kirby: Self cross-site scripting (self-XSS) in the writer field
CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
21th
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, making the target clickable by the user who entered it and enabling self cross-site scripting in the Panel. This issue is fixed in versions 4.9.4 and 5.4.4.
| CWE | CWE-83 |
| Vendor | getkirby |
| Product | kirby |
| Published | Jul 9, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for getkirby kirby
Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
getkirby / kirby
< 4.9.4 >= 5.0.0, < 5.4.4