Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32870

CVE-2026-32870: Getkirby Kirby XXE Vulnerability

CVE-2026-32870 is an XXE flaw in Getkirby Kirby CMS affecting XML value handling in CDATA blocks, allowing structured data manipulation. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-32870 Overview

CVE-2026-32870 is an XML Injection vulnerability (CWE-91) affecting Kirby, an open-source content management system. The vulnerability exists in Kirby's Xml::value() method, which has special handling for <![CDATA[ ]]> blocks. Attackers can exploit a flaw in the CDATA validation logic to inject structured XML data that bypasses the intended value protection, potentially manipulating downstream systems that process the generated XML.

Critical Impact

Attackers can inject malicious XML structures by crafting input that contains valid CDATA blocks alongside additional structured data, circumventing Kirby's XML value protection and potentially manipulating systems that consume the generated XML output.

Affected Products

  • Kirby versions prior to 4.9.0
  • Kirby versions 5.x prior to 5.4.0
  • Sites using Xml::value(), Xml::tag(), Xml::create(), or XML data handler in custom code

Discovery Timeline

  • 2026-04-24 - CVE CVE-2026-32870 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-32870

Vulnerability Analysis

The vulnerability stems from improper validation in Kirby's XML processing methods. The Xml::value() method implements special handling for CDATA blocks to avoid double-escaping already valid CDATA content. However, the validation logic only checks whether the input contains a valid CDATA block, rather than verifying that the entire input string consists exclusively of valid CDATA content.

This oversight allows an attacker to construct a payload that includes a legitimate CDATA block to pass the validation check, while also embedding additional structured XML data outside the CDATA block. Since the validation passes, the entire input—including the malicious structured data—is allowed through without proper escaping.

The affected methods include Xml::value(), Xml::tag(), Xml::create(), and the Xml data handler accessed via Data::encode($string, 'xml'). While these methods are not used in Kirby's core functionality, they are available for use in site-specific or plugin code that generates XML from user input.

Root Cause

The root cause is an insufficient boundary check in the CDATA validation logic. The validation only verified that a valid CDATA block existed within the input rather than ensuring the input consisted entirely of CDATA blocks with no additional content. This allows structured XML data to be injected alongside valid CDATA content, bypassing the escaping mechanism designed to protect against XML injection.

Attack Vector

The attack is network-based and requires no authentication. An attacker can exploit this vulnerability by submitting specially crafted input to any Kirby site functionality that processes user data through the vulnerable XML methods. The malicious input would contain a valid CDATA section to pass the validation check, combined with additional XML structures intended to manipulate downstream systems.

The exploitation scenario requires:

  1. The target site uses Xml::value(), Xml::tag(), Xml::create(), or the XML data handler in custom code
  2. User-controlled input is passed through these methods
  3. The generated XML is consumed by another system that interprets the XML schema

For sites that do not use XML generation in their custom code, the vulnerability has no impact. The attack's success depends on how downstream systems process the manipulated XML output.

Detection Methods for CVE-2026-32870

Indicators of Compromise

  • Unusual XML content in request parameters containing both CDATA blocks and additional XML structures
  • Log entries showing malformed or unexpected XML payloads being processed
  • Anomalous behavior in systems that consume XML output generated by Kirby

Detection Strategies

  • Audit custom site and plugin code for usage of Xml::value(), Xml::tag(), Xml::create(), or Data::encode($string, 'xml')
  • Implement input validation rules to detect payloads containing CDATA blocks combined with structured XML data
  • Review web application firewall logs for requests containing XML injection patterns

Monitoring Recommendations

  • Monitor application logs for XML parsing errors or warnings that may indicate injection attempts
  • Implement alerting for any unusual patterns in user input fields that interact with XML generation
  • Track downstream system behavior for signs of manipulation via injected XML structures

How to Mitigate CVE-2026-32870

Immediate Actions Required

  • Upgrade Kirby to version 4.9.0 or later for the 4.x branch
  • Upgrade Kirby to version 5.4.0 or later for the 5.x branch
  • Audit any custom code using the affected XML methods to assess exposure
  • Review and validate XML output generated by affected methods before passing to downstream systems

Patch Information

The vulnerability has been patched in Kirby 4.9.0 and Kirby 5.4.0. The fix adds additional validation checks that only permit unchanged CDATA passthrough when the entire input string consists exclusively of valid CDATA blocks with no additional structured data. This ensures all uses of the affected methods are protected against the described vulnerability.

Patch resources:

Workarounds

  • Avoid using Xml::value(), Xml::tag(), Xml::create(), or the XML data handler with user-controlled input until patched
  • Implement custom input validation to reject any input containing CDATA blocks before passing to XML methods
  • If XML generation is necessary, manually escape all user input before processing through XML methods
bash
# Update Kirby via Composer
composer update getkirby/kirby

# Verify installed version
composer show getkirby/kirby | grep version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.