CVE-2025-65012: Kirby CMS has cross-site scripting (XSS) in the changes dialog

November 18, 2025 (updated November 19, 2025)

The “Changes” dialog in the Panel displays all content models (pages, files, users) with changed content, i.e. with content that has not yet been published. Each changed model is listed with its preview image/icon and its title/name.

Attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the “Changes” dialog. If another authenticated user subsequently opened the dialog in their Panel, the malicious code would be executed.

References

github.com/advisories/GHSA-84hf-8gh5-575j
github.com/getkirby/kirby
github.com/getkirby/kirby/releases/tag/5.1.4
github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j
nvd.nist.gov/vuln/detail/CVE-2025-65012

Code Behaviors & Features

Detect and mitigate CVE-2025-65012 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →