CVE-2024-26482

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-26482
An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 Exploit Third Party Advisory
https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:getkirby:kirby:4.1.0:-:*:*:*:*:*:*
History

21 Aug 2025, 14:03

Type Values Removed Values Added
CPE cpe:2.3:a:getkirby:kirby:4.1.0:-:*:*:*:*:*:*
References () https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 - () https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 - Exploit, Third Party Advisory
First Time Getkirby
Getkirby kirby

21 Nov 2024, 09:02

Type Values Removed Values Added
References () https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 - () https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-HTML-Injection-19ca19686d0a4533ab4b0c53fc977eef?pvs=4 -

29 Aug 2024, 20:36

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.1
CWE CWE-80

26 Feb 2024, 19:15

Type Values Removed Values Added
Summary (en) An HTML injection vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted payload. (en) An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is backend sanitization such that the reporter's mentioned "injecting malicious scripts" would not occur.

22 Feb 2024, 19:07

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de inyección de HTML en el módulo Edit Content Layout de Kirby CMS v4.1.0 permite a los atacantes ejecutar código arbitrario a través de un payload manipulado.

22 Feb 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-22 05:15

Updated : 2025-08-21 14:03

NVD link : CVE-2024-26482

Mitre link : CVE-2024-26482

CVE.ORG link : CVE-2024-26482

JSON object : View

Products Affected

getkirby

  • kirby
CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)