Main Vulnerability Database Vulnerabilities #VU126892

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Kirby - CVE-2021-32735

Published: July 2, 2021 / Updated: April 23, 2026

Vulnerability identifier: #VU126892

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-32735

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Kirby

Software vendor:
Ian Stewart

Description

The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's Panel session.

The vulnerability exists due to cross-site scripting in the Panel ListItem component and related Panel content rendering when displaying field and configuration text. A remote user can inject crafted HTML or script content to execute arbitrary JavaScript code in another user's Panel session.

Exploitation can lead to requests being triggered to Kirby's API with the permissions of the victim.

Remediation

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Kirby - CVE-2021-32735

Description

Remediation

External links

Please verify you're human