Understanding Self-Cross-Site Scripting (Self-XSS) in Kirby's Writer Field
This educational analysis covers a self-cross-site scripting (self-XSS) vulnerability in Kirby's writer field, affecting sites using this feature in any blueprint. The vulnerability, tracked as CVE-2026-49276, allows attackers to inject malicious links into content, which can be executed by the same user who entered it before saving the content. The attack requires knowledge of the content structure and social engineering of a user with access to the Panel, and it cannot be automated.