CVE-2026-32870 Overview
CVE-2026-32870 is an XML Injection vulnerability (CWE-91) affecting Kirby, an open-source content management system. The vulnerability exists in Kirby's Xml::value() method, which has special handling for <![CDATA[ ]]> blocks. Attackers can exploit a flaw in the CDATA validation logic to inject structured XML data that bypasses the intended value protection, potentially manipulating downstream systems that process the generated XML.
Critical Impact
Attackers can inject malicious XML structures by crafting input that contains valid CDATA blocks alongside additional structured data, circumventing Kirby's XML value protection and potentially manipulating systems that consume the generated XML output.
Affected Products
- Kirby versions prior to 4.9.0
- Kirby versions 5.x prior to 5.4.0
- Sites using Xml::value(), Xml::tag(), Xml::create(), or XML data handler in custom code
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-32870 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-32870
Vulnerability Analysis
The vulnerability stems from improper validation in Kirby's XML processing methods. The Xml::value() method implements special handling for CDATA blocks to avoid double-escaping already valid CDATA content. However, the validation logic only checks whether the input contains a valid CDATA block, rather than verifying that the entire input string consists exclusively of valid CDATA content.
This oversight allows an attacker to construct a payload that includes a legitimate CDATA block to pass the validation check, while also embedding additional structured XML data outside the CDATA block. Since the validation passes, the entire input—including the malicious structured data—is allowed through without proper escaping.
The affected methods include Xml::value(), Xml::tag(), Xml::create(), and the Xml data handler accessed via Data::encode($string, 'xml'). While these methods are not used in Kirby's core functionality, they are available for use in site-specific or plugin code that generates XML from user input.
Root Cause
The root cause is an insufficient boundary check in the CDATA validation logic. The validation only verified that a valid CDATA block existed within the input rather than ensuring the input consisted entirely of CDATA blocks with no additional content. This allows structured XML data to be injected alongside valid CDATA content, bypassing the escaping mechanism designed to protect against XML injection.
Attack Vector
The attack is network-based and requires no authentication. An attacker can exploit this vulnerability by submitting specially crafted input to any Kirby site functionality that processes user data through the vulnerable XML methods. The malicious input would contain a valid CDATA section to pass the validation check, combined with additional XML structures intended to manipulate downstream systems.
The exploitation scenario requires:
- The target site uses Xml::value(), Xml::tag(), Xml::create(), or the XML data handler in custom code
- User-controlled input is passed through these methods
- The generated XML is consumed by another system that interprets the XML schema
For sites that do not use XML generation in their custom code, the vulnerability has no impact. The attack's success depends on how downstream systems process the manipulated XML output.
Detection Methods for CVE-2026-32870
Indicators of Compromise
- Unusual XML content in request parameters containing both CDATA blocks and additional XML structures
- Log entries showing malformed or unexpected XML payloads being processed
- Anomalous behavior in systems that consume XML output generated by Kirby
Detection Strategies
- Audit custom site and plugin code for usage of Xml::value(), Xml::tag(), Xml::create(), or Data::encode($string, 'xml')
- Implement input validation rules to detect payloads containing CDATA blocks combined with structured XML data
- Review web application firewall logs for requests containing XML injection patterns
Monitoring Recommendations
- Monitor application logs for XML parsing errors or warnings that may indicate injection attempts
- Implement alerting for any unusual patterns in user input fields that interact with XML generation
- Track downstream system behavior for signs of manipulation via injected XML structures
How to Mitigate CVE-2026-32870
Immediate Actions Required
- Upgrade Kirby to version 4.9.0 or later for the 4.x branch
- Upgrade Kirby to version 5.4.0 or later for the 5.x branch
- Audit any custom code using the affected XML methods to assess exposure
- Review and validate XML output generated by affected methods before passing to downstream systems
Patch Information
The vulnerability has been patched in Kirby 4.9.0 and Kirby 5.4.0. The fix adds additional validation checks that only permit unchanged CDATA passthrough when the entire input string consists exclusively of valid CDATA blocks with no additional structured data. This ensures all uses of the affected methods are protected against the described vulnerability.
Patch resources:
Workarounds
- Avoid using Xml::value(), Xml::tag(), Xml::create(), or the XML data handler with user-controlled input until patched
- Implement custom input validation to reject any input containing CDATA blocks before passing to XML methods
- If XML generation is necessary, manually escape all user input before processing through XML methods
# Update Kirby via Composer
composer update getkirby/kirby
# Verify installed version
composer show getkirby/kirby | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
