DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-55790: CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

Vulnerability ID: CVE-2026-55790
CVSS Score: 7.4
Published: 2026-07-06

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

TL;DR

Unauthenticated DOM-based XSS in Craft CMS Support Widget via untrusted GitHub API issue titles, patched in 4.17.16 and 5.9.23.


Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0 Score: 7.4 (High)
  • EPSS Score: 0.00311 (Percentile: 22.91%)
  • Impact: Administrative Session Hijacking / Remote Code Execution
  • Exploit Status: PoC / None detected in wild
  • CISA KEV Status: Not Listed

Affected Systems

  • Craft CMS

Mitigation Strategies

  • Update Craft CMS to patched versions
  • Disable or remove the CraftSupport widget from administrative dashboards
  • Implement a robust Content Security Policy (CSP)

Remediation Steps:

  1. Identify the current running version of Craft CMS on your systems.
  2. Update Craft CMS v4.x instances to 4.17.16 or later, or v5.x instances to 5.9.23 or later.
  3. If immediate patching is impossible, remove the CraftSupport widget from the dashboard configuration.
  4. Verify the application of the patch by checking CraftSupportWidget.js for proper HTML escaping.

References


Read the full report for CVE-2026-55790 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)