Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-wr9h-4r83-f4v6 | Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()` |
Thu, 09 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 09 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize(), Sane::sanitize(), Sane::Html::sanitize(), Sane::Svg::sanitize(), Sane::Xml::sanitize(), Sane::sanitizeFile(), or file sanitizeContents() with untrusted input allow malicious markup injected as children of an unknown HTML or XML tag to pass through Dom::sanitize() without being correctly sanitized, causing stored cross-site scripting. This issue is fixed in versions 4.9.4 and 5.4.4. | |
| Title | Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()` | |
| Weaknesses | CWE-79 CWE-87 |
|
| References |
|
|
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T19:26:59.702Z
Reserved: 2026-06-11T16:34:11.635Z
Link: CVE-2026-54002
Updated: 2026-07-09T19:26:55.931Z
No data.
No data.
OpenCVE Enrichment
No data.
Github GHSA