CVE-2025-65012: 
PHP 脆弱性の分析と軽減

CVE-2025-65012 affects Kirby, an open-source content management system, in versions 5.0.0 to 5.1.3. The vulnerability is a Cross-site Scripting (XSS) issue in the changes dialog that allows attackers to inject malicious code through page titles or usernames. This vulnerability was discovered and disclosed on November 18, 2025, and affects all Kirby 5 sites where potential attackers have authenticated Panel user access or where external visitors can update page titles or usernames (GitHub Advisory).

The vulnerability is classified as a moderate severity issue with a CVSS v4.0 base score of 5.1. The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring Low privileges (PR:L) and Passive user interaction (UI:P). The vulnerability is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. The technical exploit involves attackers modifying a page title or username with malicious content, then modifying any content field without saving to make the model appear in the 'Changes' dialog (GitHub Advisory).

When successfully exploited, the vulnerability allows execution of arbitrary JavaScript code inside the Panel session of users. Malicious scripts can trigger requests to Kirby's API with the victim's permissions. This is particularly critical in environments with multiple authenticated Panel users, as attackers could potentially escalate their privileges if they gain access to an admin user's Panel session (GitHub Advisory).

The vulnerability has been patched in Kirby version 5.1.4. The fix includes adding required escaping code to ensure the browser displays plain text instead of executing code where model titles are rendered. Users are advised to update to version 5.1.4 or later to address this security issue (GitHub Release).