Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:N since the attacker only needs a GitHub account; AC:H and UI:R because an admin must search a term surfacing the poisoned issue; S:C as script runs cross-context in the CP session with high C/I impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23.
AnalysisAI
Stored cross-site scripting in the Craft CMS control panel lets an attacker holding only a free GitHub account run JavaScript in an administrator's authenticated session. The payload is planted in the title of a craftcms/cms GitHub issue and executes when a Craft admin uses the CraftSupport widget's 'Give feedback' screen and searches a term that surfaces the poisoned issue. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target running an affected Craft CMS build (5.0.0-RC1-5.9.22 or 4.0.0-RC1-4.17.15) and, critically, an administrator actively using the CraftSupport widget's 'Give feedback' screen and typing a search term that returns the attacker's poisoned craftcms/cms issue - this specific admin interaction (reflected as UI:A and the AT:P attack requirement in the CVSS 4.0 vector) is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N) scores 7.4 (High): network reachable with no privileges on the attacker side (PR:N, just a GitHub account), but exploitation carries an attack requirement (AT:P) and active victim interaction (UI:A) - the admin must open the CraftSupport 'Give feedback' screen and search a specific term that returns the poisoned issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free GitHub account and opens an issue on craftcms/cms whose title contains a crafted JavaScript payload matching a plausible search keyword. A Craft admin later opens the CraftSupport 'Give feedback' screen and searches for that keyword; the poisoned title renders in the CP and the script executes in the admin's authenticated session, enabling session/CSRF token theft or admin actions. … |
| Remediation | Vendor-released patch: upgrade to Craft CMS 4.17.16 (4.x line) or 5.9.23 (5.x line), which fix the issue per advisory GHSA-24x4-j6x9-rfw5 (https://github.com/craftcms/cms/security/advisories/GHSA-24x4-j6x9-rfw5); the code change is in commit 6bbb66038a268552180ca5c8eed9f46ea25a4417. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Craft CMS installations for affected versions (4.x: up to 4.17.15; 5.x: up to 5.9.22); disable or restrict the CraftSupport plugin; establish emergency access logging for administrator control panel use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41209
GHSA-24x4-j6x9-rfw5