CVE-2024-26484 identifies a stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS version 4.1.0. Stored XSS vulnerabilities occur when malicious input is saved by the application and later rendered in users' browsers without proper sanitization or encoding, enabling attackers to execute arbitrary JavaScript or HTML code. In this case, the vulnerability is triggered by injecting a crafted payload into the Link field of the content layout editor. When a victim views the affected content, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions. The vendor has clarified that this vulnerability did not affect any customer-controlled installations of Kirby CMS and was limited to the trykirby.com demo site, which is publicly accessible but not used for production content. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, no privileges required, but requires user interaction (e.g., a victim clicking a link). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, while availability is unaffected. No patches or fixes have been linked, and no known exploits in the wild have been reported. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

If exploited, this vulnerability could allow attackers to execute arbitrary scripts in the browsers of users who view the compromised content, potentially leading to theft of session cookies, user impersonation, or manipulation of displayed content. Although the vendor states that customer-controlled instances are not affected, organizations using Kirby CMS should be aware of the risk if they have deployed the vulnerable module or use the demo environment in any capacity. The impact is primarily on confidentiality and integrity of user data and interactions. Since the vulnerability requires user interaction and is limited to a demo environment, the real-world risk is currently low. However, if similar vulnerabilities exist in customer deployments or if attackers find ways to exploit the demo site to pivot attacks, the impact could escalate. No availability impact is expected. The absence of known exploits reduces immediate risk but does not eliminate the need for vigilance.

Organizations should first verify whether their Kirby CMS installations include the Edit Content Layout module and confirm the version in use. Since the vendor claims no customer versions are affected, administrators should ensure they are not using the vulnerable demo environment or any unpatched versions. Implement strict input validation and output encoding on all user-supplied data fields, especially those that accept HTML or links, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web logs and user reports for suspicious activity indicative of XSS exploitation attempts. If possible, isolate or disable the vulnerable module until a patch or official confirmation is provided. Educate users about the risks of clicking untrusted links or interacting with unverified content. Regularly update Kirby CMS and its modules to the latest secure versions once patches become available.