CVE-2026-54002 - Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize() (Kirby <= 4.9.3,5.0.0-5.4.3)
NetbyteSEC Security Advisory - Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize() (Kirby <= 4.9.3,5.0.0-5.4.3)
Advisory ID: NBS-2026-0001
Product: Kirby
Affected Version: <= 4.9.3,5.0.0-5.4.3
CVE ID: CVE-2026-54002
Author: Shafiq Aiman | NetbyteSEC
Kirby CMS is vulnerable to stored cross-site scripting (XSS), a vulnerability that was identified in the Dom::sanitize() method used by the writer and list fields (and the broader Sane HTML/SVG/XML sanitization API). When an unknown HTML/XML tag was unwrapped during sanitization, its child nodes were copied into the cleaned output without being passed through the sanitization rules themselves. This indicates an incomplete sanitization pass, which may allow an authenticated user to store malicious script content that executes in the Panel or site frontend when viewed by other users, including higher-privileged admins.
The vulnerability was successfully patched by Kirby on the 4.9.4 and 5.4.4 release versions (June 2026).
<marquee> or any made-up tag), it does not throw away everything inside it. Instead it removes only that tag but keeps the content inside it. Kirby calls this "unwrapping". This is done by a small function called unwrap(), and this is where the bug lives.src/Toolkit/Dom.php.public static function unwrap(DOMNode $node): void { foreach ($node->childNodes as $childNode) { // skip plain text if ($childNode instanceof DOMText) { continue; } // keep the inside content by making a COPY of it <-- the bug $node->parentNode->insertBefore(clone $childNode, $node); } // delete the unknown tag (and its original content) static::remove($node); }
The key word is clone. To keep the unknown tag's contents, Kirby copies everything inside it, then deletes the original. Kirby's tag checklist was built before this copying, so the fresh copies were never on it and never get cleaned.
The affected versions (<= 4.9.3, 5.0.0-5.4.3); Time testing version as shown below:
| Figure 3: Kirby affected version |
Mitigation
At this time, the vulnerability has been successfully addressed in Kirby 4.9.4 and 5.4.4. Users are advised to upgrade to the patched release for their major version (4.9.4 or 5.4.4 or newer) as soon as possible.
Vendor Contact Timeline