GHSA-JCJW-58RV-C452 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

TL;DR This vulnerability affects all Kirby sites that use option fields checkboxes, color, multiselect, select, radio, tags or toggles with options from a query or API whose values may not be fully trusted. It also affects direct uses of the OptionsApi or OptionsQuery classes of Kirby's Options...

Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

TL;DR This vulnerability affects all Kirby sites that use option fields checkboxes, color, multiselect, select, radio, tags or toggles with options from a query or API whose values may not be fully trusted. It also affects direct uses of the OptionsApi or OptionsQuery classes of Kirby's Options...

PT-2026-34816

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description Kirby contains two distinct issues. First, the REST API allows the isDraft flag to be overridden during page creation. This enables authenticated attackers with the...

Cross-site Scripting (XSS)

getkirby/cms is vulnerable to Cross-site Scripting XSS. The use of the v-html tag in MultiselectInput.vue allows an attacker to inject and execute malicious javascript through the dynamic options in the multi-select field...