CVE-2026-32870 Kirby has XML injection in its XML creator toolkit

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

CVE-2026-32870

Kirby (pre-4.9.0 and pre-5.4.0) has a vulnerability in its Xml::value() handling of CDATA blocks that could allow inputs containing a valid CDATA block plus other structured data to bypass protection. This affects code paths that use Xml::value(), Xml::tag(), Xml::create(), and the Xml data handl...