๐Ÿ” CVE Alert

CVE-2026-49276

UNKNOWN 0.0

Kirby: Self cross-site scripting (self-XSS) in the writer field

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
21th

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, making the target clickable by the user who entered it and enabling self cross-site scripting in the Panel. This issue is fixed in versions 4.9.4 and 5.4.4.

CWE CWE-83
Vendor getkirby
Product kirby
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getkirby / kirby
< 4.9.4 >= 5.0.0, < 5.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-rhj6-r49h-5932 github.com: https://github.com/getkirby/kirby/releases/tag/4.9.4 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.4