Cross-site scripting in Kirby - CVE-2026-45368
Published: May 22, 2026
Vulnerability identifier: #VU132141
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45368
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ian Stewart
Affected software:
Kirby
Kirby
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in KirbyTags, image blocks, and the blocks HTML importer when rendering editor-supplied link targets in the site frontend. A remote user can inject a crafted link with a dangerous URI scheme into content to execute arbitrary JavaScript in the victim's browser.
User interaction is required because the victim must click the rendered malicious link, and the issue affects the site frontend rather than the Panel itself.
How to mitigate CVE-2026-45368
Install security update from vendor's website.