CVE-2026-32870— Kirby has XML injection in its XML creator toolkit

Kirby has XML injection in its XML creator toolkit

Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for `<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check into allowing values that only contained a valid `CDATA` block but also contained other structured data outside of the `CDATA` block. This structured data would then also be allowed to pass through, circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create XML strings from input data. If those generated files are passed to another implementation that assigns specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured data. This protects all uses of the method against the described vulnerability.

N/A

XML注入(XPath盲注)

Kirby 安全漏洞

Kirby是Kirby开源的一套基于文件的内容管理系统（CMS）。 Kirby 4.9.0之前版本和5.4.0之前版本存在安全漏洞，该漏洞源于Xml::value()方法对CDATA块处理不当，可能导致绕过值保护，允许包含有效CDATA块之外的结构化数据通过。

N/A

N/A