SCA: security update for getkirby/cms (GHSA-9wfj-c55w-j9qr)

medium Tenable Self-Hosted Container Security Plugin ID 440788

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Kirby is an open-source content management system. Kirby's `Xml::value()` method has special handling for
`<![CDATA[ ]]>` blocks. If the input value is already valid `CDATA`, it is not escaped a second time but
allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check
into allowing values that only contained a valid `CDATA` block but also contained other structured data
outside of the `CDATA` block. This structured data would then also be allowed to pass through,
circumventing the value protection. The `Xml::value()` method is used in `Xml::tag()`, `Xml::create()` and
in the `Xml` data handler (e.g. `Data::encode($string, 'xml')`). Both the vulnerable methods and the data
handler are not used in the Kirby core. However they may be used in site or plugin code, e.g. to create
XML strings from input data. If those generated files are passed to another implementation that assigns
specific meaning to the XML schema, manipulation of this system's behavior is possible. Kirby sites that
don't use XML generation in site or plugin code are not affected. The problem has been patched in Kirby
4.9.0 and Kirby 5.4.0. In all of the mentioned releases, Kirby has added additional checks that only allow
unchanged `CDATA` passthrough if the entire string is made up of valid `CDATA` blocks and no structured
data. This protects all uses of the method against the described vulnerability. (CVE-2026-32870)

Solution

Update the getkirby/cms library and its related packages to version 4.9.0 or later.

See Also

https://github.com/advisories/GHSA-9wfj-c55w-j9qr

Plugin Details

Severity: Medium

ID: 440788

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 4/24/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-32870

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/23/2026

Vulnerability Publication Date: 4/23/2026

Reference Information

CVE: CVE-2026-32870

cwe: CWE-91