Cross-Site Scripting Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-55790
7.4HIGH
What is CVE-2026-55790?
Craft CMS, a widely-used content management system by Pixel & Tonic, has a vulnerability that allows an attacker to inject a malicious JavaScript payload in the titles of GitHub issues. This occurs in specific versions from 4.0.0-RC1 to 5.9.22. When a Craft administrator utilizes the CraftSupport widget for feedback and searches for the compromised issue, the malicious code executes, compromising the admin panel without needing elevated privileges. This vulnerability has been mitigated in the subsequent releases 4.17.16 and 5.9.23.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.23 < 5.0.0-RC1, 5.9.23
cms >= 4.0.0-RC1, < 4.17.16 < 4.0.0-RC1, 4.17.16
