CVE-2026-55790
Summary
An attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session.
No control panel account or elevated privileges are required on the attacker’s side.
Preconditions
- Attacker has a GitHub account (no control panel access needed).
- Victim is an administrator, and you have the CraftSupport widget on the dashboard.
- Victim uses the "Give feedback" screen and types a search term that returns the poisoned issue.
Root cause
CraftSupportWidget.js lines 382-392:
$('<a>', {
href: this.getSearchResultUrl(results[i]),
target: '_blank',
html:
'<span class="status ' +
this.getSearchResultStatus(results[i]) +
'"></span>' +
this.getSearchResultText(results[i]),
})
FeedbackScreen.getSearchResultText (line 669-671) returns result.title verbatim from the GitHub API response. The jQuery html: option sets the element’s innerHTML, so a title containing <img src=x onerror=...> executes immediately on render.
The GitHub API returns issue titles as raw JSON strings with no HTML encoding. The widget makes this request directly from the browser, without a Craft proxy or any sanitization step.
HelpScreen (Stack Exchange) is not affected because the Stack Exchange API HTML-encodes titles before returning them.
Steps to reproduce
Plant (attacker, GitHub account only):
1. Open https://github.com/craftcms/cms/issues/new.
2. Set the title to a string combining a plausible search term and the payload, e.g.:
<img src=x onerror=alert(document.domain)> cannot upload files
3. Submit the issue.
Trigger (victim, Craft admin):
1. Open the Craft control panel dashboard.
2. Open the CraftSupport widget, click "Give feedback".
3. Type cannot upload files in the search box.
4. alert(document.domain) fires in the admin's session.
Impact
XSS in the admin control
⚡ Watch CVE-2026-55790
Get an email if CVE-2026-55790 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-55790)