XPath Injection in Getkirby Kirby

CVE-2026-32870

Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. How…

EPSS: 0.000 (13.3th percentile) — read the EPSS interpretation.

Affected products

Getkirby Kirby — versions < 4.9.0, >= 5.0.0, < 5.4.0

Weakness classification (CWE)

CWE-91 — XML Injection (Blind XPath Injection)

References

https://github.com/getkirby/kirby/security/advisories/GHSA-9wfj-c55w-j9qr (x_refsource_CONFIRM)
https://github.com/getkirby/kirby/releases/tag/4.9.0 (x_refsource_MISC)
https://github.com/getkirby/kirby/releases/tag/5.4.0 (x_refsource_MISC)