Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-c2yw-7kk6-ykd8
Vulnerability ID VCID-c2yw-7kk6-ykd8
Aliases CVE-2021-41252
GHSA-x7j7-qp7j-hw3q
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Because the writer field did not securely sanitize its contents on save, it was possible to inject malicious HTML code into the content file by sending it to Kirby's API directly without using the Panel. This malicious HTML code would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site. Attackers must be in your group of authenticated Panel users in order to exploit this weakness. Users who do not make use of the writer field are not affected. This issue has been patched in Kirby 3.5.8 by sanitizing all writer field contents on the backend whenever the content is modified via Kirby's API. Please update to this or a later version to fix the vulnerability.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00785 https://api.first.org/data/v1/epss?cve=CVE-2021-41252
epss 0.00785 https://api.first.org/data/v1/epss?cve=CVE-2021-41252
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-x7j7-qp7j-hw3q
cvssv3.1 5.4 https://github.com/getkirby/kirby
generic_textual MODERATE https://github.com/getkirby/kirby
cvssv3.1 5.4 https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc
generic_textual MODERATE https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc
cvssv3.1 5.4 https://github.com/getkirby/kirby/releases/tag/3.5.8
generic_textual MODERATE https://github.com/getkirby/kirby/releases/tag/3.5.8
cvssv3.1 5.4 https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q
cvssv3.1_qr MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q
generic_textual MODERATE https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2021-41252
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-41252
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-41252
https://github.com/getkirby/kirby
https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc
https://github.com/getkirby/kirby/releases/tag/3.5.8
CVE-2021-41252 https://nvd.nist.gov/vuln/detail/CVE-2021-41252
GHSA-x7j7-qp7j-hw3q https://github.com/advisories/GHSA-x7j7-qp7j-hw3q
GHSA-x7j7-qp7j-hw3q https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/getkirby/kirby
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/getkirby/kirby/commit/25fc5c6b330442e6433c99befc688f3698c5d1fc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.5.8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-x7j7-qp7j-hw3q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41252
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.74128
EPSS Score 0.00785
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:40:31.556626+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getkirby/cms/CVE-2021-41252.yml 38.6.0