CVE-2026-32870

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0

Description The Xml::value() method in Kirby contains a flaw in how it handles <![CDATA[ ]]> blocks. While the method is designed to allow valid CDATA to pass through without being escaped a second time, it was possible to provide input that contained a valid CDATA block alongside other structured data. This allowed the structured data to bypass value protection, potentially leading to XML injection. XML injection is an attack where special characters are injected into input data to generate XML output with malicious meaning, which can manipulate the behavior of systems that parse the resulting XML schema.

This issue affects the Xml::value() method, as well as Xml::tag(), Xml::create(), and the Xml data handler (e.g., Data::encode($string, 'xml')). These components are not used in the Kirby core but may be utilized in site or plugin code to create XML strings from input data.

Recommendations Update to version 4.9.0 or later. Update to version 5.4.0 or later. As a temporary workaround, restrict or avoid using the Xml::value(), Xml::tag(), Xml::create() functions and the Xml data handler in site or plugin code if they process attacker-controlled input.