CVE-2026-32870
Published: 24 April 2026
Summary
CVE-2026-32870 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Getkirby Kirby. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely patching of the XML injection flaw in Kirby's Xml::value() method directly eliminates the vulnerability as fixed in versions 4.9.0 and 5.4.0.
Validating untrusted input before passing it to vulnerable XML generation methods like Xml::value() prevents injection of malformed CDATA with extraneous structured data.
Filtering and properly encoding XML output generated from custom site or plugin code mitigates risks from bypassed internal protections in Xml::value().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a remotely exploitable XML injection flaw (CWE-91) in a public-facing CMS component (Xml::value() and related methods) with no auth or user interaction required, directly enabling T1190 against sites using the affected XML generation paths.
NVD Description
Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to…
more
versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.
Deeper analysisAI
CVE-2026-32870 is a vulnerability in the open-source Kirby content management system, specifically in the `Xml::value()` method, which provides special handling for `<![CDATA[ ]]>` blocks. Prior to versions 4.9.0 and 5.4.0, the method could be tricked into allowing input that contains a valid CDATA block along with additional structured XML data outside of it. This bypasses the intended value protection, as the extra structured data passes through unescaped. The affected methods include `Xml::value()`, `Xml::tag()`, `Xml::create()`, and the `Xml` data handler (e.g., `Data::encode($string, 'xml')`), though these are not used in Kirby's core and only appear in custom site or plugin code that generates XML from input data.
The vulnerability can be exploited by remote attackers with no privileges or user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and association with CWE-91 (XML Injection). Exploitation requires a Kirby site or plugin that processes untrusted input through the vulnerable methods to generate XML files or strings. If those outputs are consumed by another system that interprets the specific XML schema, an attacker can inject malicious structured data to manipulate that system's behavior, potentially leading to high integrity impacts such as unauthorized data modification or control over XML processing logic. Sites not using XML generation in custom code remain unaffected.
Mitigation is available via patches in Kirby 4.9.0 and 5.4.0, which introduce additional checks to ensure passthrough of unchanged CDATA only occurs when the entire input string consists solely of valid CDATA blocks with no extraneous structured data. Official advisories, including the Kirby security advisory (GHSA-9wfj-c55w-j9qr) and release notes for versions 4.9.0 and 5.4.0 on GitHub, confirm these fixes protect all uses of the methods and recommend upgrading immediately for sites relying on XML handling in plugins or custom code.
Details
- CWE(s)