GHSA-24x4-j6x9-rfw5: Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
Summary
An attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session.
No control panel account or elevated privileges are required on the attacker’s side.
Preconditions
- Attacker has a GitHub account (no control panel access needed).
- Victim is an administrator, and you have the CraftSupport widget on the dashboard.
- Victim uses the "Give feedback" screen and types a search term that returns the poisoned issue.
Root cause
CraftSupportWidget.js lines 382-392:
$('<a>', {
href: this.getSearchResultUrl(results[i]),
target: '_blank',
html:
'<span class="status ' +
this.getSearchResultStatus(results[i]) +
'"></span>' +
this.getSearchResultText(results[i]),
})
FeedbackScreen.getSearchResultText (line 669-671) returns result.title verbatim from the GitHub API response. The jQuery html: option sets the element’s innerHTML, so a title containing <img src=x onerror=...> executes immediately on render.
The GitHub API returns issue titles as raw JSON strings with no HTML encoding. The widget makes this request directly from the browser, without a Craft proxy or any sanitization step.
HelpScreen (Stack Exchange) is not affected because the Stack Exchange API HTML-encodes titles before returning them.
Steps to reproduce
Plant (attacker, GitHub account only):
1. Open https://github.com/craftcms/cms/issues/new.
2. Set the title to a string combining a plausible search term and the payload, e.g.:
<img src=x onerror=alert(document.domain)> cannot upload files
3. Submit the issue.
Trigger (victim, Craft admin):
1. Open the Craft control panel dashboard.
2. Open the CraftSupport widget, click "Give feedback".
3. Type cannot upload files in the search box.
4. alert(document.domain) fires in the admin's session.
Impact
XSS in the admin control
Details
Original advisory: https://github.com/advisories/GHSA-24x4-j6x9-rfw5
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-557900.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55790 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10