DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32870: CVE-2026-32870: XML Injection via Unsafe CDATA Handling in Kirby CMS Toolkit

#security #cve #cybersecurity

CVE-2026-32870: XML Injection via Unsafe CDATA Handling in Kirby CMS Toolkit

Vulnerability ID: CVE-2026-32870
CVSS Score: 6.9
Published: 2026-04-23

Kirby CMS versions prior to 4.9.0 and 5.0.0 through 5.3.x are vulnerable to XML Injection (CWE-91). An insecure heuristic within the Toolkit's XML handling methods permits an attacker to bypass entity encoding by prepending a CDATA identifier. This allows the injection of arbitrary XML elements into documents generated by the CMS or custom plugins.

TL;DR

An input validation flaw in Kirby CMS allows attackers to bypass XML escaping by starting input with a CDATA tag. Attackers can terminate the CDATA block early and inject arbitrary XML tags, potentially altering data structures in RSS feeds, sitemaps, or API responses. Upgrading to versions 4.9.0 or 5.4.0 patches the vulnerability.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-91
  • Attack Vector: Network
  • CVSS Base Score: 6.9
  • Impact: High System Integrity
  • Exploit Status: Proof of Concept
  • Affected Component: Kirby\Toolkit\Xml

Affected Systems

  • Kirby CMS Toolkit
  • Kirby CMS Data handlers
  • Kirby CMS: < 4.9.0 (Fixed in: 4.9.0)
  • Kirby CMS: >= 5.0.0, < 5.4.0 (Fixed in: 5.4.0)

Code Analysis

Commit: a88ef33

Initial fix commit for XML CDATA validation in Kirby 4.x release branch.

Commit: 9309d52

Merge of XML CDATA validation into release branch 5.3.4 (later released as 5.4.0).

Exploit Details

  • Patch Unit Tests: Proof of concept payloads present within the patch unit test suite.

Mitigation Strategies

  • Upgrade Kirby CMS to a supported, patched version.
  • Audit custom templates and plugins for unsafe usage of the Kirby XML toolkit.
  • Implement strict input validation on all user-supplied data to reject unexpected CDATA sequences.
  • Deploy WAF rules to detect and block polyglot payloads containing CDATA terminators.

Remediation Steps:

  1. Identify the current version of Kirby CMS via the panel or configuration files.
  2. If running a 4.x version below 4.9.0, update the core to version 4.9.0.
  3. If running a 5.x version below 5.4.0, update the core to version 5.4.0.
  4. Review custom plugin code for Xml::value(), Xml::tag(), Xml::create(), and Data::encode() usage.
  5. Verify that patched systems properly encode payloads like <![CDATA[ ]]> <test>.

References

Read the full report for CVE-2026-32870 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)