[HIGH] Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

PKSA-wps5-gfv8-mm6f CVE-2026-54002 GHSA-wr9h-4r83-f4v6

Affected package: getkirby/cms

Affected version: >=5.0.0-alpha.1,<=5.4.3|<=4.9.3

Reported by:
GitHub