VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-6zd1-91p6-tkfm

Essentials
Severities (12)
References (7)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-6zd1-91p6-tkfm
Aliases	CVE-2021-32735 GHSA-2f2w-349x-vrqm
Summary	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Kirby is a content management system. In Kirby CMS versions 3.5.5 and 3.5.6, the Panel's `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks. Malicious authenticated Panel users can escalate their privileges if they get access to the Panel session of an admin user. Visitors without Panel access can use the attack vector if the site allows changing site data from a frontend form. Kirby 3.5.7 patches the vulnerability. As a partial workaround, site administrators can protect against attacks from visitors without Panel access by validating or sanitizing provided data from the frontend form.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

System	Score	Found at
epss	0.00383	https://api.first.org/data/v1/epss?cve=CVE-2021-32735
epss	0.00383	https://api.first.org/data/v1/epss?cve=CVE-2021-32735
cvssv3.1	7.1	https://github.com/getkirby/kirby
generic_textual	HIGH	https://github.com/getkirby/kirby
cvssv3.1	7.1	https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09
generic_textual	HIGH	https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09
cvssv3.1	7.1	https://github.com/getkirby/kirby/releases/tag/3.5.7
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.5.7
cvssv3.1	7.1	https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm
generic_textual	HIGH	https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2021-32735
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2021-32735

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2021-32735
		https://github.com/getkirby/kirby
		https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09
		https://github.com/getkirby/kirby/releases/tag/3.5.7
CVE-2021-32735		https://nvd.nist.gov/vuln/detail/CVE-2021-32735
GHSA-2f2w-349x-vrqm		https://github.com/advisories/GHSA-2f2w-349x-vrqm
GHSA-2f2w-349x-vrqm		https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/getkirby/kirby

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.5.7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32735

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.5994
EPSS Score	0.00383
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:39:27.103622+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getkirby/cms/CVE-2021-32735.yml	38.6.0