PatchSiren cyber security CVE debrief
CVE-2026-45368 getkirby CVE debrief
A high-severity vulnerability was found in Kirby, an open-source content management system. The vulnerability affects versions prior to 4.9.1 and 5.4.1. It is related to the handling of URLs in certain components, which could lead to script execution. This issue has significant implications for users of affected versions, as it could allow attackers to execute malicious scripts. Users should review their deployments and plan for updates or mitigations.
- Vendor
- getkirby
- Product
- kirby
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Kirby CMS, especially those using versions prior to 4.9.1 and 5.4.1, should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes reviewing deployments, updating to patched versions, and monitoring for suspicious activity. Security teams and operators should prioritize this vulnerability due to its high severity and potential impact.
Technical summary
The vulnerability is caused by the lack of proper filtering of malicious URL values that resolve to script execution in the underlying URL methods for the KirbyTags and image blocks components. This affects four first-party Kirby renderers that produce <a href='…'> output from editor-supplied field values. The vulnerability allows attackers to bypass security protections and execute scripts, potentially leading to unauthorized actions or data breaches.
Defensive priority
High
Recommended defensive actions
- Update to Kirby version 4.9.1 or 5.4.1
- Review and update any custom components that use URL handling
- Monitor for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability was reported by an unknown source. The CVE record was published on 2026-07-16T22:17:02.680Z and has not been modified since then. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and review official advisories for further details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T22:17:02.680Z and has not been modified since then.