Kirby CMS, an open-source content management system, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-65012, classified under CWE-79. The vulnerability exists in versions 5.0.0 to 5.1.3, where an attacker with authenticated access can modify the title of any page or the name of any user to include malicious JavaScript code. Additionally, the attacker can alter any content field of the same model without saving, causing the model to appear in the 'Changes' dialog within the Kirby Panel interface. When another authenticated user subsequently opens this dialog, the embedded malicious script executes in their browser context. This attack vector relies on the presence of multiple authenticated users with access to the Panel and the ability for attackers to modify page titles or usernames. The vulnerability does not allow unauthenticated attackers to exploit it, nor can it be triggered without user interaction by a second Panel user. The issue was addressed and patched in Kirby version 5.1.4. The CVSS 4.0 score is 5.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required beyond authenticated access, and requiring user interaction. The impact primarily affects confidentiality and integrity within the authenticated user environment, with no direct availability impact or remote code execution capabilities.

For European organizations using Kirby CMS versions 5.0.0 to 5.1.3, this vulnerability poses a risk of cross-site scripting attacks within their administrative or editorial teams. The exploitation could lead to session hijacking, unauthorized actions performed in the context of authenticated users, or theft of sensitive information accessible through the Panel. This could undermine trust in the CMS, lead to data integrity issues, and potentially facilitate further attacks if attackers leverage stolen credentials or session tokens. Since exploitation requires authenticated access and user interaction, the threat is more significant in environments with multiple users having Panel access, such as media companies, educational institutions, or government agencies using Kirby for content management. The vulnerability does not allow unauthenticated remote exploitation, limiting its impact to insider threats or compromised accounts. However, the presence of malicious scripts could also be used to pivot attacks or spread malware within the organization’s network. The medium severity rating suggests a moderate risk, but the potential for lateral movement and data compromise elevates the importance of timely patching and access control.

European organizations should immediately upgrade all Kirby CMS installations to version 5.1.4 or later to remediate this vulnerability. Until patching is possible, restrict Panel access strictly to trusted users and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised accounts. Implement rigorous input validation and sanitization on user-modifiable fields like page titles and usernames, if customization is possible beyond the core CMS. Monitor logs for unusual changes to page titles or usernames and audit the 'Changes' dialog access patterns for suspicious activity. Educate users with Panel access about the risks of interacting with untrusted content and encourage cautious behavior when reviewing changes. Consider deploying Content Security Policy (CSP) headers to limit the execution of injected scripts within the Panel interface. Finally, conduct regular security assessments and vulnerability scans on CMS installations to detect outdated versions or misconfigurations.