๐Ÿ” CVE Alert

CVE-2026-54002

UNKNOWN 0.0

Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sanitize(), Sane::sanitizeFile(), or file sanitizeContents() with untrusted input allow malicious markup injected as children of an unknown HTML or XML tag to pass through Dom::sanitize() without being correctly sanitized, causing stored cross-site scripting. This issue is fixed in versions 4.9.4 and 5.4.4.

CWE CWE-79 CWE-87
Vendor getkirby
Product kirby
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for getkirby kirby

Be the first to know when new unknown vulnerabilities affecting getkirby kirby are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

getkirby / kirby
< 4.9.4 >= 5.0.0, < 5.4.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/getkirby/kirby/security/advisories/GHSA-wr9h-4r83-f4v6 github.com: https://github.com/getkirby/kirby/commit/0f0437b5128c910103cbc78fc34d94b2a3faef4c github.com: https://github.com/getkirby/kirby/commit/7ad76cf9c7387462828e6ebfc8404e31b37829e9 github.com: https://github.com/getkirby/kirby/commit/9ec1873864441dbc06479ef7823da348ec7f2700 github.com: https://github.com/getkirby/kirby/commit/bb2562e16c754493a403b8df84c9883108871e4c github.com: https://github.com/getkirby/kirby/releases/tag/4.9.4 github.com: https://github.com/getkirby/kirby/releases/tag/5.4.4