Kirby is a document-based content management system (CMS). A cross-site scripting vulnerability exists in Kirby CMS version v4.1.0, which stems from the lack of effective filtering and escaping of user-supplied data in link fields, and can be exploited by an attacker to execute arbitrary web script or HTML by injecting a specially crafted payload.