CVE-2026-44175: Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend

May 26, 2026

In affected releases, Kirby did not securely sanitize the contents of list fields on save. This allowed attackers to inject malicious HTML code into the content file by sending it to Kirby’s API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site.

References

github.com/advisories/GHSA-5fhx-9q32-q257
github.com/getkirby/kirby/releases/tag/4.9.1
github.com/getkirby/kirby/releases/tag/5.4.1
github.com/getkirby/kirby/security/advisories/GHSA-5fhx-9q32-q257
nvd.nist.gov/vuln/detail/CVE-2026-44175

Code Behaviors & Features

Detect and mitigate CVE-2026-44175 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →