CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-24x4-j6x9-rfw5: Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget

highCVE-2026-55790
Summary An attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. Preconditions - Attacker has a GitHub account (no control panel access needed). - Victim is an administrator, and you have the CraftSupport widget on the dashboard. - Victim uses the "Give feedback" screen and types a search term that returns the poisoned issue. Root cause CraftSupportWidget.js lines 382-392: $('<a>', { href: this.getSearchResultUrl(results[i]), target: '_blank', html: '<span class="status ' + this.getSearchResultStatus(results[i]) + '"></span>' + this.getSearchResultText(results[i]), }) FeedbackScreen.getSearchResultText (line 669-671) returns result.title verbatim from the GitHub API response. The jQuery html: option sets the element’s innerHTML, so a title containing <img src=x onerror=...> executes immediately on render. The GitHub API returns issue titles as raw JSON strings with no HTML encoding. The widget makes this request directly from the browser, without a Craft proxy or any sanitization step. HelpScreen (Stack Exchange) is not affected because the Stack Exchange API HTML-encodes titles before returning them. Steps to reproduce Plant (attacker, GitHub account only): 1. Open https://github.com/craftcms/cms/issues/new. 2. Set the title to a string combining a plausible search term and the payload, e.g.: <img src=x onerror=alert(document.domain)> cannot upload files 3. Submit the issue. Trigger (victim, Craft admin): 1. Open the Craft control panel dashboard. 2. Open the CraftSupport widget, click "Give feedback". 3. Type cannot upload files in the search box. 4. alert(document.domain) fires in the admin's session. Impact XSS in the admin control

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-24x4-j6x9-rfw5

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55790coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories