CVE-2026-55790

Source
https://cve.org/CVERecord?id=CVE-2026-55790
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55790.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55790
Aliases
Published
2026-07-01T22:57:53.934Z
Modified
2026-07-15T01:49:21.415098142Z
Severity
  • 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
Details

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55790.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.9.23"
        },
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.17.16"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55790.json"