CVE-2025-65012

Name of the Vulnerable Software and Affected Versions Kirby versions 5.0.0 through 5.1.3

Description Kirby is a content management system. Attackers could modify the title of any page or the name of any user to a malicious string. Subsequently, they could alter any content field of the same model without saving, potentially causing the model to appear in the "Changes" dialog. If another authenticated user opens this dialog, malicious code could be executed. The attack requires interaction from another authenticated Panel user and cannot be automated. This issue impacts all Kirby 5 sites with potential attackers among authenticated Panel users or those allowing external visitors to update page titles or usernames. The vulnerability involves cross-site scripting (XSS), enabling the execution of JavaScript code within a Panel session, potentially allowing attackers to trigger requests to Kirby's API with the victim's permissions and escalate privileges.

Recommendations Update to Kirby version 5.1.4 or a later version.