Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-rhj6-r49h-5932

Kirby: Self cross-site scripting (self-XSS) in the writer field

Also known asCVE-2026-49276
Published
Jun 18, 2026
Updated
Jun 18, 2026
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

Blast Radius

2 pkgs affected
🐘getkirby/cms🐘getkirby/cms

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

TL;DR

This vulnerability affects Kirby sites that use the writer field in any blueprint.

It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.

A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack cannot be automated.

In Kirby's default configuration, the vulnerability is limited to self-XSS and cannot directly affect other users or visitors of the site. Panel plugins that are directly using the <k-writer> component may also be affected by stored XSS if they don't sanitize the resulting HTML before saving it to the content.

This vulnerability is of high severity for affected sites.


Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby's API with the permissions of the victim.

Self cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields.

In a stored XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Affected components

The writer field allows users to input formatted text, including links to arbitrary URLs and email addresses. Its link and email marks are therefore a target for XSS attacks.

As the vulnerability is in the writer mark components, it also affects all uses of the <k-writer> component in Panel plugins.

Impact

In affected releases, the link and email marks did not prevent XSS payloads from being submitted to the writer field's content data:

  • The link mark allowed users to enter JavaScript URLs using the "custom" URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved.
  • The email mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console.

The vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have added more robust validation against dangerous URL schemes that are entered in the affected writer marks.

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistgetkirby/cmsall versions4.9.4
🐘Packagistgetkirby/cms5.0.0-alpha.1&&< 5.4.45.4.4

Detection & mitigation playbook

Open-source dependency
  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for getkirby/cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update getkirby/cms to 4.9.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rhj6-r49h-5932 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-rhj6-r49h-5932 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-rhj6-r49h-5932. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated. In Kirby's default configuration, the vulnerability is limited to self-XSS and *cannot* directly affect other users or visitors of the site. Panel plugins that
O3 Security · Impact-Aware SCA

Is GHSA-rhj6-r49h-5932 in your dependencies?

O3 detects GHSA-rhj6-r49h-5932 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.