Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55790

CVE-2026-55790: Craft CMS XSS Vulnerability

CVE-2026-55790 is an XSS flaw in Craft CMS that allows attackers to execute JavaScript payloads in admin sessions via GitHub issue titles. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-55790 Overview

CVE-2026-55790 is a stored cross-site scripting (XSS) vulnerability in Craft CMS, an open-source content management system. The flaw resides in the CraftSupport widget's "Give feedback" search feature, which failed to escape GitHub issue titles rendered in the Craft control panel. An attacker with only a standard GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft administrator searches for a term that returns the poisoned issue, the payload executes in the admin's browser session. Affected versions include 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15. The issue is tracked as [CWE-79] and fixed in versions 4.17.16 and 5.9.23.

Critical Impact

Attackers can hijack Craft CMS administrator sessions and perform authenticated actions in the control panel by planting malicious payloads in public GitHub issue titles.

Affected Products

  • Craft CMS versions 5.0.0-RC1 through 5.9.22
  • Craft CMS versions 4.0.0-RC1 through 4.17.15
  • Deployments using the built-in CraftSupport widget in the control panel dashboard

Discovery Timeline

  • 2026-07-01 - CVE-2026-55790 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-55790

Vulnerability Analysis

The CraftSupport widget queries the craftcms/cms GitHub repository for issues that match an administrator's search term. Matching issue titles are then rendered directly into the control panel's DOM without HTML escaping. Because GitHub issue creation requires no privileges beyond a free account, an unauthenticated external attacker can supply attacker-controlled HTML that is later rendered inside a privileged administrator session.

Successful exploitation runs arbitrary JavaScript with the admin's browser context. This enables session token theft, forced configuration changes, plugin installation, and content manipulation through the same-origin control panel APIs.

Root Cause

The root cause is missing output encoding in src/web/assets/craftsupport/src/CraftSupportWidget.js. The getSearchResultText() return value was concatenated into an HTML string and injected via a DOM API without sanitization. The fix wraps the return value in Craft.escapeHtml(), converting HTML metacharacters to entity references before rendering.

Attack Vector

Exploitation requires two conditions: an attacker who has filed a GitHub issue with a payload in its title, and a Craft admin who types a search term into the CraftSupport widget that surfaces that issue. The attack is network-based and needs user interaction from the administrator, but no control panel credentials on the attacker's side.

javascript
                     '<span class="status ' +
                     this.getSearchResultStatus(results[i]) +
                     '"></span>' +
-                    this.getSearchResultText(results[i]),
+                    Craft.escapeHtml(this.getSearchResultText(results[i])),
                 })
               )
             );
// Source: https://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417

The patch invokes Craft.escapeHtml() on the untrusted search result text, neutralizing embedded HTML and script tags before insertion into the DOM.

Detection Methods for CVE-2026-55790

Indicators of Compromise

  • Unexpected outbound requests from admin browser sessions to attacker-controlled domains shortly after using the CraftSupport widget.
  • Control panel actions such as user creation, role changes, or plugin installs originating from an admin session without corresponding legitimate activity.
  • GitHub issues in craftcms/cms whose titles contain HTML tags, <script> fragments, or JavaScript event handler syntax.

Detection Strategies

  • Inventory Craft CMS installations and flag any instance running 4.0.0-RC1 through 4.17.15 or 5.0.0-RC1 through 5.9.22.
  • Review web server access logs for /actions/craft-support/search (or equivalent widget endpoint) requests followed by anomalous authenticated API calls.
  • Deploy a Content Security Policy (CSP) in report-only mode on the control panel and monitor for inline script violations.

Monitoring Recommendations

  • Alert on new administrator sessions performing privileged operations immediately after loading the dashboard containing the CraftSupport widget.
  • Monitor browser telemetry for script execution originating from control panel URLs referencing GitHub API responses.
  • Track changes to Craft CMS plugin, user, and permission tables for out-of-band modifications.

How to Mitigate CVE-2026-55790

Immediate Actions Required

  • Upgrade Craft CMS to version 4.17.16 or 5.9.23, which apply Craft.escapeHtml() to search results.
  • Remove the CraftSupport widget from administrator dashboards until patching is complete.
  • Rotate control panel session cookies and API tokens if suspicious admin activity is observed.

Patch Information

The fix is delivered in Craft CMS 4.17.16 and 5.9.23. See the GitHub Security Advisory GHSA-24x4-j6x9-rfw5 and the GitHub Commit Update for the source-level change.

Workarounds

  • Disable or hide the CraftSupport widget from all administrator dashboards through the control panel widget settings.
  • Restrict control panel access to trusted networks using firewall rules or reverse proxy allowlists.
  • Enforce a strict Content Security Policy for control panel routes to block inline script execution.
bash
# Upgrade Craft CMS via Composer to a patched release
composer require craftcms/cms:^5.9.23 --update-with-dependencies
# Or for the 4.x branch
composer require craftcms/cms:^4.17.16 --update-with-dependencies
php craft up

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.