Cross-site scripting in Kirby - CVE-2026-44175
Published: May 22, 2026
Vulnerability identifier: #VU132139
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44175
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript code in the site frontend.
The vulnerability exists due to improper neutralization of input during web page generation in the list field and list block content handling when processing updates sent to Kirby's API. A remote user can send crafted content containing malicious HTML code to execute arbitrary JavaScript code in the site frontend.
The attack requires an authenticated Panel user with permission to update a list field or list block, and the injected code is stored in content and executed when the frontend renders the affected content.
How to mitigate CVE-2026-44175
Install security update from vendor's website.