php · getkirby/cmsCritical
getkirby/cms: Writer field allows JavaScript URLs (self-XSS)
The writer field's link and email marks allowed JavaScript URLs, enabling self-XSS attacks.
What changed
The writer field's link and email marks allowed JavaScript URLs, enabling self-XSS attacks. Patched in Kirby 4.9.4 and 5.4.4 with robust validation against dangerous URL schemes.
Who it affects
Kirby sites using the writer field in any blueprint, and Panel plugins using the <k-writer> component.
What to do today
Update to Kirby 4.9.4, 5.4.4, or later immediately.
The trail
Collected→
Audited→
Written→
Published