Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-924u-ruz7-4ycw
Vulnerability ID VCID-924u-ruz7-4ycw
Aliases CVE-2026-32870
GHSA-9wfj-c55w-j9qr
Summary Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-91 XML Injection (aka Blind XPath Injection)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-32870
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-32870
epss 0.00043 https://api.first.org/data/v1/epss?cve=CVE-2026-32870
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9wfj-c55w-j9qr
cvssv4 6.9 https://github.com/getkirby/kirby
generic_textual MODERATE https://github.com/getkirby/kirby
cvssv4 6.9 https://github.com/getkirby/kirby/releases/tag/4.9.0
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/4.9.0
ssvc Track https://github.com/getkirby/kirby/releases/tag/4.9.0
cvssv4 6.9 https://github.com/getkirby/kirby/releases/tag/5.4.0
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/5.4.0
ssvc Track https://github.com/getkirby/kirby/releases/tag/5.4.0
cvssv3.1_qr MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
cvssv4 6.9 https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
generic_textual MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
ssvc Track https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-32870
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-32870
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-32870
https://github.com/getkirby/kirby
https://nvd.nist.gov/vuln/detail/CVE-2026-32870
4.9.0 https://github.com/getkirby/kirby/releases/tag/4.9.0
5.4.0 https://github.com/getkirby/kirby/releases/tag/5.4.0
GHSA-9wfj-c55w-j9qr https://github.com/advisories/GHSA-9wfj-c55w-j9qr
GHSA-9wfj-c55w-j9qr https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N Found at https://github.com/getkirby/kirby
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N Found at https://github.com/getkirby/kirby/releases/tag/4.9.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/4.9.0
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N Found at https://github.com/getkirby/kirby/releases/tag/5.4.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/ Found at https://github.com/getkirby/kirby/releases/tag/5.4.0
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-24T16:29:59Z/ Found at https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32870
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.13417
EPSS Score 0.00043
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:49:22.513362+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/32xxx/CVE-2026-32870.json 38.6.0