Skip to main content

Craft CMS CVE-2026-55790

| EUVDEUVD-2026-41209 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 security-advisories@github.com GHSA-24x4-j6x9-rfw5
7.4
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

PR:N since the attacker only needs a GitHub account; AC:H and UI:R because an admin must search a term surfacing the poisoned issue; S:C as script runs cross-context in the CP session with high C/I impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 23:01 EUVD
Analysis Generated
Jul 01, 2026 - 23:31 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23.

AnalysisAI

Stored cross-site scripting in the Craft CMS control panel lets an attacker holding only a free GitHub account run JavaScript in an administrator's authenticated session. The payload is planted in the title of a craftcms/cms GitHub issue and executes when a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches a term that surfaces the poisoned issue. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register free GitHub account
Delivery
Plant XSS payload in issue title
Exploit
Admin searches term in CraftSupport widget
Execution
Poisoned title renders in CP DOM
Persist
Script executes in admin session
Impact
Steal session token or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the target running an affected Craft CMS build (5.0.0-RC1-5.9.22 or 4.0.0-RC1-4.17.15) and, critically, an administrator actively using the CraftSupport widget's 'Give feedback' screen and typing a search term that returns the attacker's poisoned craftcms/cms issue - this specific admin interaction (reflected as UI:A and the AT:P attack requirement in the CVSS 4.0 vector) is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N) scores 7.4 (High): network reachable with no privileges on the attacker side (PR:N, just a GitHub account), but exploitation carries an attack requirement (AT:P) and active victim interaction (UI:A) - the admin must open the CraftSupport 'Give feedback' screen and search a specific term that returns the poisoned issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free GitHub account and opens an issue on craftcms/cms whose title contains a crafted JavaScript payload matching a plausible search keyword. A Craft admin later opens the CraftSupport 'Give feedback' screen and searches for that keyword; the poisoned title renders in the CP and the script executes in the admin's authenticated session, enabling session/CSRF token theft or admin actions. …
Remediation Vendor-released patch: upgrade to Craft CMS 4.17.16 (4.x line) or 5.9.23 (5.x line), which fix the issue per advisory GHSA-24x4-j6x9-rfw5 (https://github.com/craftcms/cms/security/advisories/GHSA-24x4-j6x9-rfw5); the code change is in commit 6bbb66038a268552180ca5c8eed9f46ea25a4417. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Craft CMS installations for affected versions (4.x: up to 4.17.15; 5.x: up to 5.9.22); disable or restrict the CraftSupport plugin; establish emergency access logging for administrator control panel use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy