php · getkirby/cmsCritical
Kirby CMS: Dom::sanitize() fails to sanitize unwrapped nodes (XSS)
Dom::sanitize() did not sanitize nodes unwrapped from their parent, allowing stored XSS via writer/list fields or Sane API.
What changed
Dom::sanitize() did not sanitize nodes unwrapped from their parent, allowing stored XSS via writer/list fields or Sane API.
Who it affects
Kirby sites using writer/list fields or Sane::sanitize() with untrusted input; authenticated Panel users can exploit.
What to do today
Update to Kirby 4.9.4 or 5.4.4 immediately; review and re-sanitize existing content if attackers may have been present.
The trail
Collected→
Audited→
Written→
Published