AI Threat Alert
Kirby CMS fails to sanitize HTML content in list fields and list blocks on save, allowing any authenticated Panel user with update permissions to inject persistent JavaScript that executes in every subsequent visitor's browser — including logged-in admins. With 469 downstream dependents and Kirby commonly used as the content layer for AI product sites and dashboards, a low-privilege contributor account can escalate to full admin access by harvesting session tokens when an administrator browses the compromised frontend. No public exploit or EPSS data is available yet, but stored XSS with automatic admin escalation potential in a production CMS has a well-understood exploitation path requiring minimal attacker sophistication. Patch immediately to Kirby 4.9.1 (4.x branch) or 5.4.1 (5.x branch); if patching is delayed, revoke Panel write access for all non-fully-trusted users and audit existing list field content in content files for unexpected script tags or onerror/onload event handlers.
What is the risk?
Risk is HIGH for any organization running Kirby CMS as the content management layer for AI-powered products or internal ML dashboards. The attack requires authenticated Panel access — a realistic threat model for multi-author sites, contractors, or insider threats — and yields auto-firing XSS requiring zero victim interaction beyond a normal page visit. Privilege escalation to admin is a well-documented XSS consequence in Panel-driven CMSs. OpenSSF Scorecard of 7.1/10 and six prior CVEs in the same package indicate a maturing but historically vulnerability-prone codebase. No active exploitation evidence reduces immediate urgency slightly, but the simplicity of the exploit and high value of admin credentials on AI product sites elevates practical risk.
Attack Kill Chain
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| getkirby/cms | composer | <= 4.9.0 | 4.9.1 |
Do you use getkirby/cms? You're affected.
Severity & Risk
What should I do?
5 steps-
PATCH
Upgrade to Kirby 4.9.1 or 5.4.1 immediately — both releases add backend HTML sanitization to list field save handlers, equivalent to the existing writer field protection.
-
AUDIT
Search content files (typically under /content/) for list field entries containing <script>, javascript:, onerror=, onload=, or data: URI patterns. Kirby stores content as flat files, making grep-based scanning straightforward.
-
RESTRICT (if patching is delayed): Remove update permissions from any Panel users who are not fully trusted; consider setting list fields to read-only in blueprints.
-
DETECT
Enable CSP headers with strict script-src to limit XSS execution scope and generate violation reports for detection.
-
MONITOR
Review Panel access logs for direct API calls to list field update endpoints from unusual user agents or IPs, which bypass the Panel's frontend sanitization.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-44175?
Kirby CMS fails to sanitize HTML content in list fields and list blocks on save, allowing any authenticated Panel user with update permissions to inject persistent JavaScript that executes in every subsequent visitor's browser — including logged-in admins. With 469 downstream dependents and Kirby commonly used as the content layer for AI product sites and dashboards, a low-privilege contributor account can escalate to full admin access by harvesting session tokens when an administrator browses the compromised frontend. No public exploit or EPSS data is available yet, but stored XSS with automatic admin escalation potential in a production CMS has a well-understood exploitation path requiring minimal attacker sophistication. Patch immediately to Kirby 4.9.1 (4.x branch) or 5.4.1 (5.x branch); if patching is delayed, revoke Panel write access for all non-fully-trusted users and audit existing list field content in content files for unexpected script tags or onerror/onload event handlers.
Is CVE-2026-44175 actively exploited?
No confirmed active exploitation of CVE-2026-44175 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-44175?
1. PATCH: Upgrade to Kirby 4.9.1 or 5.4.1 immediately — both releases add backend HTML sanitization to list field save handlers, equivalent to the existing writer field protection. 2. AUDIT: Search content files (typically under /content/) for list field entries containing <script>, javascript:, onerror=, onload=, or data: URI patterns. Kirby stores content as flat files, making grep-based scanning straightforward. 3. RESTRICT (if patching is delayed): Remove update permissions from any Panel users who are not fully trusted; consider setting list fields to read-only in blueprints. 4. DETECT: Enable CSP headers with strict script-src to limit XSS execution scope and generate violation reports for detection. 5. MONITOR: Review Panel access logs for direct API calls to list field update endpoints from unusual user agents or IPs, which bypass the Panel's frontend sanitization.
What systems are affected by CVE-2026-44175?
This vulnerability affects the following AI/ML architecture patterns: CMS-backed AI product sites, ML documentation portals, AI tool landing pages with content management, Internal AI dashboard portals using Kirby as CMS layer.
What is the CVSS score for CVE-2026-44175?
No CVSS score has been assigned yet.
AI Security Impact
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0048.001 Reputational Harm AML.T0049 Exploit Public-Facing Application AML.T0078 Drive-by Compromise Compliance Controls Affected
Technical Details
Original Advisory
### TL;DR This vulnerability affects all Kirby sites that use the list field or list block, when content is authored by users who may not be fully trusted. The attack requires an authenticated Panel user with update permission to any list field or list block. **This vulnerability is of high severity for affected sites.** Kirby sites are *not* affected if they don't use the list field (or blocks field with the list block) in any of their blueprints, or if every user who can edit content is fully trusted. The attack only surfaces in the site frontend (i.e. in the consuming project's templates). The Panel itself is unaffected and will not execute JavaScript that was injected into list field content. ---- ### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. In a *stored* XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors. Such vulnerabilities are critical if applications might have potential attackers in their group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on the site, other JavaScript-powered attacks are possible. A specific class of stored XSS is auto-firing, meaning the malicious injected JavaScript code is executed by the browser when the page loads without the victim having to perform a specific action. ### Affected components Kirby's [list field](https://getkirby.com/docs/reference/panel/fields/list) stores its formatted content as HTML code. Unlike with other field types, it is not possible to [escape HTML special characters](https://getkirby.com/docs/guide/templates/escaping) against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. ### Impact In affected releases, Kirby did not securely sanitize the contents of list fields on save. This allowed attackers to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. ### Patches The problem has been patched in [Kirby 4.9.1](https://github.com/getkirby/kirby/releases/tag/4.9.1) and [Kirby 5.4.1](https://github.com/getkirby/kirby/releases/tag/5.4.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added HTML sanitization (like in the writer field) to the backend code that handles updates to the contents of list fields. ### Credits Kirby thanks @offset for responsibly reporting the identified issue.
Exploitation Scenario
An attacker with a low-privilege Kirby Panel account — such as an editor or contractor on an AI product documentation site — crafts a direct HTTP request to Kirby's content API containing a list field value with an embedded XSS payload (e.g., a list item with an onerror attribute or inline script). The Panel's frontend editor would sanitize this on normal submission, but the attacker bypasses the UI and calls the API endpoint directly with the raw malicious payload. Kirby stores the unsanitized HTML in the content file. When a site administrator browses any page rendering that list field — such as a feature changelog or FAQ page — the malicious JavaScript auto-fires in their browser, silently exfiltrates the admin's Panel session cookie to an attacker-controlled server, and grants the attacker full administrative access to the CMS, potentially including API key management pages for AI services integrated into the site.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2026-44897 6.1 mistune: XSS via unescaped heading id= attribute
Same package: panel CVE-2026-44898 6.1 mistune: XSS in TOC render via unescaped heading ID
Same package: panel CVE-2026-44708 6.1 mistune: math plugin XSS bypasses escape=True control
Same package: panel CVE-2026-44899 4.7 mistune: CSS injection enables phishing UI overlay
Same package: panel CVE-2026-44176 Kirby CMS: auth bypass exposes restricted page drafts
Same package: panel