CVE-2026-32870: Kirby has XML injection in its XML creator toolkit

Kirby’s Xml::value() method has special handling for <![CDATA[ ]]> blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However it was possible to trick this check into allowing values that only contained a valid CDATA block but also contained other structured data outside of the CDATA block. This structured data would then also be allowed to pass through, circumventing the value protection.

The Xml::value() method is used in Xml::tag(), Xml::create() and in the Xml data handler (e.g. Data::encode($string, 'xml')).

Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system’s behavior is possible.

Kirby sites that don’t use XML generation in site or plugin code are not affected.