Cross-Site Scripting Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-55790

7.4HIGH

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55790?

Craft CMS, a widely-used content management system by Pixel & Tonic, has a vulnerability that allows an attacker to inject a malicious JavaScript payload in the titles of GitHub issues. This occurs in specific versions from 4.0.0-RC1 to 5.9.22. When a Craft administrator utilizes the CraftSupport widget for feedback and searches for the compromised issue, the malicious code executes, compromising the admin panel without needing elevated privileges. This vulnerability has been mitigated in the subsequent releases 4.17.16 and 5.9.23.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.23 < 5.0.0-RC1, 5.9.23

cms >= 4.0.0-RC1, < 4.17.16 < 4.0.0-RC1, 4.17.16

References

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.