{"uuid": "d85dd133-5c19-40cd-9764-c79045f814be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-24x4-j6x9-rfw5", "type": "seen", "source": "https://gist.github.com/alon710/3d0e76ebb14fa6d7f10ac4854f1f3070", "content": "# CVE-2026-55790: CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget\n\n&gt; **CVSS Score:** 7.4\n&gt; **Published:** 2026-07-06\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-55790\n\n## Summary\nA DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.\n\n## TL;DR\nUnauthenticated DOM-based XSS in Craft CMS Support Widget via untrusted GitHub API issue titles, patched in 4.17.16 and 5.9.23.\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 7.4 (High)\n- **EPSS Score**: 0.00311 (Percentile: 22.91%)\n- **Impact**: Administrative Session Hijacking / Remote Code Execution\n- **Exploit Status**: PoC / None detected in wild\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Craft CMS\n\n## Mitigation\n\n- Update Craft CMS to patched versions\n- Disable or remove the CraftSupport widget from administrative dashboards\n- Implement a robust Content Security Policy (CSP)\n\n**Remediation Steps:**\n1. Identify the current running version of Craft CMS on your systems.\n2. Update Craft CMS v4.x instances to 4.17.16 or later, or v5.x instances to 5.9.23 or later.\n3. If immediate patching is impossible, remove the CraftSupport widget from the dashboard configuration.\n4. Verify the application of the patch by checking CraftSupportWidget.js for proper HTML escaping.\n\n## References\n\n- [Official GitHub Security Advisory](https://github.com/craftcms/cms/security/advisories/GHSA-24x4-j6x9-rfw5)\n- [Official Fix Commit](https://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-55790) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T02:12:20.702623Z"}