Tag
#Kirby
Understanding Self-Cross-Site Scripting (Self-XSS) in Kirby's Writer Field
This educational analysis covers a self-cross-site scripting (self-XSS) vulnerability in Kirby's writer field, affecting sites using this feature in any blueprint. The vulnerability, tracked as CVE-2026-49276, allows attackers to inject malicious links into content, which can be executed by the same user who entered it before saving the content. The attack requires knowledge of the content structure and social engineering of a user with access to the Panel, and it cannot be automated.
Critical Vulnerability in Kirby: External Initialization of the Panel via Reverse Proxy
A critical vulnerability (CVE-2026-54003, CVSS 9.1) in Kirby allows attackers to initialize the Panel on publicly accessible servers behind a reverse proxy, enabling remote admin account creation. Sites with no configured user accounts and specific reverse proxy setups are affected. Immediate action is required to prevent exploitation.