Main Vulnerability Database Vulnerabilities #VU127196

Improper Neutralization of Special Elements Used in a Template Engine in Kirby - CVE-2026-34587

Published: April 23, 2026

Vulnerability identifier: #VU127196

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34587

CWE-ID: CWE-1336

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Ian Stewart

Affected software:
Kirby

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information or modify site content.

The vulnerability exists due to improper neutralization of special elements used in a template engine in option rendering for dynamic option values and text strings when loading option fields or processing OptionsApi or OptionsQuery data. A remote user can place malicious query templates in query or API-backed option sources to disclose sensitive information or modify site content.

Exploitation requires use of option fields with dynamic options from a query or API, or direct use of the OptionsApi or OptionsQuery classes. Malicious templates are executed when the affected Panel view is loaded, and exploitation may occur through the attacker's own Panel access or through another authenticated user's interaction with the manipulated view.

How to mitigate CVE-2026-34587

Install security update from vendor's website.

Improper Neutralization of Special Elements Used in a Template Engine in Kirby - CVE-2026-34587

Detailed vulnerability description

How to mitigate CVE-2026-34587

Sources

Please verify you're human