CVE-2026-49276: Kirby: Self cross-site scripting (self-XSS) in the writer field

In affected releases, the link and email marks did not prevent XSS payloads from being submitted to the writer field’s content data:

• The link mark allowed users to enter JavaScript URLs using the “custom” URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved.
• The email mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console.

The vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser.