Tag
An attacker with only a GitHub account can plant a malicious JavaScript payload in a GitHub issue title, leading to a DOM Cross-Site Scripting (XSS) vulnerability (CVE-2026-55790) that executes in a Craft CMS administrator's control panel session when they use the CraftSupport widget and retrieve the poisoned issue, allowing for arbitrary JavaScript execution and potential unauthorized actions.